170 the one of Isabelle/HOL. Moreover, since FDL has no counterpart of the \SPARK{} |
170 the one of Isabelle/HOL. Moreover, since FDL has no counterpart of the \SPARK{} |
171 operator \textbf{rem}, the \SPARK{} expression \texttt{c}\ \textbf{rem}\ \texttt{d} |
171 operator \textbf{rem}, the \SPARK{} expression \texttt{c}\ \textbf{rem}\ \texttt{d} |
172 just becomes \<open>c - c sdiv d * d\<close> in Isabelle. The first conclusion of |
172 just becomes \<open>c - c sdiv d * d\<close> in Isabelle. The first conclusion of |
173 \<open>procedure_g_c_d_4\<close> requires us to prove that the remainder of \<open>c\<close> |
173 \<open>procedure_g_c_d_4\<close> requires us to prove that the remainder of \<open>c\<close> |
174 and \<open>d\<close> is greater than \<open>0\<close>. To do this, we use the theorem |
174 and \<open>d\<close> is greater than \<open>0\<close>. To do this, we use the theorem |
175 \<open>zmod_zdiv_equality'\<close> describing the correspondence between \<open>div\<close> |
175 \<open>minus_div_mult_eq_mod [symmetric]\<close> describing the correspondence between \<open>div\<close> |
176 and \<open>mod\<close> |
176 and \<open>mod\<close> |
177 @{thm [display] zmod_zdiv_equality'} |
177 @{thm [display] minus_div_mult_eq_mod [symmetric]} |
178 together with the theorem \<open>pos_mod_sign\<close> saying that the result of the |
178 together with the theorem \<open>pos_mod_sign\<close> saying that the result of the |
179 \<open>mod\<close> operator is non-negative when applied to a non-negative divisor: |
179 \<open>mod\<close> operator is non-negative when applied to a non-negative divisor: |
180 @{thm [display] pos_mod_sign} |
180 @{thm [display] pos_mod_sign} |
181 We will also need the aforementioned theorem \<open>sdiv_pos_pos\<close> in order for |
181 We will also need the aforementioned theorem \<open>sdiv_pos_pos\<close> in order for |
182 the standard Isabelle/HOL theorems about \<open>div\<close> to be applicable |
182 the standard Isabelle/HOL theorems about \<open>div\<close> to be applicable |
192 the \<open>gcd\<close> of \<open>d\<close> and the remainder of \<open>c\<close> and \<open>d\<close> |
192 the \<open>gcd\<close> of \<open>d\<close> and the remainder of \<open>c\<close> and \<open>d\<close> |
193 is equal to the \<open>gcd\<close> of the original input values \<open>m\<close> and \<open>n\<close>, |
193 is equal to the \<open>gcd\<close> of the original input values \<open>m\<close> and \<open>n\<close>, |
194 which is the actual \emph{invariant} of the procedure. This is a consequence |
194 which is the actual \emph{invariant} of the procedure. This is a consequence |
195 of theorem \<open>gcd_non_0_int\<close> |
195 of theorem \<open>gcd_non_0_int\<close> |
196 @{thm [display] gcd_non_0_int} |
196 @{thm [display] gcd_non_0_int} |
197 Again, we also need theorems \<open>zmod_zdiv_equality'\<close> and \<open>sdiv_pos_pos\<close> |
197 Again, we also need theorems \<open>minus_div_mult_eq_mod [symmetric]\<close> and \<open>sdiv_pos_pos\<close> |
198 to justify that \SPARK{}'s \textbf{rem} operator is equivalent to Isabelle's |
198 to justify that \SPARK{}'s \textbf{rem} operator is equivalent to Isabelle's |
199 \<open>mod\<close> operator for non-negative operands. |
199 \<open>mod\<close> operator for non-negative operands. |
200 The VC \<open>procedure_g_c_d_11\<close> says that if the loop invariant holds before |
200 The VC \<open>procedure_g_c_d_11\<close> says that if the loop invariant holds before |
201 the last iteration of the loop, the postcondition of the procedure will hold |
201 the last iteration of the loop, the postcondition of the procedure will hold |
202 after execution of the loop body. To prove this, we observe that the remainder |
202 after execution of the loop body. To prove this, we observe that the remainder |
225 procedure, the local variables \texttt{C}, \texttt{D}, and \texttt{R} can |
225 procedure, the local variables \texttt{C}, \texttt{D}, and \texttt{R} can |
226 be declared as \texttt{Natural} rather than \texttt{Integer}. Since natural |
226 be declared as \texttt{Natural} rather than \texttt{Integer}. Since natural |
227 numbers are non-negative by construction, the values computed by the algorithm |
227 numbers are non-negative by construction, the values computed by the algorithm |
228 are trivially proved to be non-negative. Since we are working with non-negative |
228 are trivially proved to be non-negative. Since we are working with non-negative |
229 numbers, we can also just use \SPARK{}'s \textbf{mod} operator instead of |
229 numbers, we can also just use \SPARK{}'s \textbf{mod} operator instead of |
230 \textbf{rem}, which spares us an application of theorems \<open>zmod_zdiv_equality'\<close> |
230 \textbf{rem}, which spares us an application of theorems \<open>minus_div_mult_eq_mod [symmetric]\<close> |
231 and \<open>sdiv_pos_pos\<close>. Finally, as noted by Barnes @{cite \<open>\S 11.5\<close> Barnes}, |
231 and \<open>sdiv_pos_pos\<close>. Finally, as noted by Barnes @{cite \<open>\S 11.5\<close> Barnes}, |
232 we can simplify matters by placing the \textbf{assert} statement between |
232 we can simplify matters by placing the \textbf{assert} statement between |
233 \textbf{while} and \textbf{loop} rather than directly after the \textbf{loop}. |
233 \textbf{while} and \textbf{loop} rather than directly after the \textbf{loop}. |
234 In the former case, the loop invariant has to be proved only once, whereas in |
234 In the former case, the loop invariant has to be proved only once, whereas in |
235 the latter case, it has to be proved twice: since the \textbf{assert} occurs after |
235 the latter case, it has to be proved twice: since the \textbf{assert} occurs after |