------------------------------------------------------------------------------ -- -- -- GNAT RUN-TIME COMPONENTS -- -- -- -- S Y S T E M . E X P O N T -- -- -- -- B o d y -- -- -- -- Copyright (C) 1992-2022, Free Software Foundation, Inc. -- -- -- -- GNAT is free software; you can redistribute it and/or modify it under -- -- terms of the GNU General Public License as published by the Free Soft- -- -- ware Foundation; either version 3, or (at your option) any later ver- -- -- sion. GNAT is distributed in the hope that it will be useful, but WITH- -- -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -- -- or FITNESS FOR A PARTICULAR PURPOSE. -- -- -- -- As a special exception under Section 7 of GPL version 3, you are granted -- -- additional permissions described in the GCC Runtime Library Exception, -- -- version 3.1, as published by the Free Software Foundation. -- -- -- -- You should have received a copy of the GNU General Public License and -- -- a copy of the GCC Runtime Library Exception along with this program; -- -- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see -- -- . -- -- -- -- GNAT was originally developed by the GNAT team at New York University. -- -- Extensive contributions were provided by Ada Core Technologies Inc. -- -- -- ------------------------------------------------------------------------------ package body System.Expont with SPARK_Mode is -- Preconditions, postconditions, ghost code, loop invariants and -- assertions in this unit are meant for analysis only, not for run-time -- checking, as it would be too costly otherwise. This is enforced by -- setting the assertion policy to Ignore. pragma Assertion_Policy (Pre => Ignore, Post => Ignore, Ghost => Ignore, Loop_Invariant => Ignore, Assert => Ignore); -- Local lemmas procedure Lemma_Exp_Expand (A : Big_Integer; Exp : Natural) with Ghost, Pre => A /= 0, Post => (if Exp rem 2 = 0 then A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) else A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) * A); procedure Lemma_Exp_In_Range (A : Big_Integer; Exp : Positive) with Ghost, Pre => In_Int_Range (A ** Exp * A ** Exp), Post => In_Int_Range (A * A); procedure Lemma_Exp_Not_Zero (A : Big_Integer; Exp : Natural) with Ghost, Pre => A /= 0, Post => A ** Exp /= 0; procedure Lemma_Exp_Positive (A : Big_Integer; Exp : Natural) with Ghost, Pre => A /= 0 and then Exp rem 2 = 0, Post => A ** Exp > 0; procedure Lemma_Mult_In_Range (X, Y, Z : Big_Integer) with Ghost, Pre => Y /= 0 and then not (X = -Big (Int'First) and Y = -1) and then X * Y = Z and then In_Int_Range (Z), Post => In_Int_Range (X); ----------------------------- -- Local lemma null bodies -- ----------------------------- procedure Lemma_Exp_Not_Zero (A : Big_Integer; Exp : Natural) is null; procedure Lemma_Mult_In_Range (X, Y, Z : Big_Integer) is null; ----------- -- Expon -- ----------- function Expon (Left : Int; Right : Natural) return Int is -- Note that negative exponents get a constraint error because the -- subtype of the Right argument (the exponent) is Natural. Result : Int := 1; Factor : Int := Left; Exp : Natural := Right; Rest : Big_Integer with Ghost; -- Ghost variable to hold Factor**Exp between Exp and Factor updates begin -- We use the standard logarithmic approach, Exp gets shifted right -- testing successive low order bits and Factor is the value of the -- base raised to the next power of 2. -- Note: for compilation only, it is not worth special casing base -- values -1, 0, +1 since the expander does this when the base is a -- literal, and other cases will be extremely rare. But for proof, -- special casing zero in both positions makes ghost code and lemmas -- simpler, so we do it. if Right = 0 then return 1; elsif Left = 0 then return 0; end if; loop pragma Loop_Invariant (Exp > 0); pragma Loop_Invariant (Factor /= 0); pragma Loop_Invariant (Big (Result) * Big (Factor) ** Exp = Big (Left) ** Right); pragma Loop_Variant (Decreases => Exp); if Exp rem 2 /= 0 then declare pragma Unsuppress (Overflow_Check); begin pragma Assert (Big (Factor) ** Exp = Big (Factor) * Big (Factor) ** (Exp - 1)); Lemma_Exp_Positive (Big (Factor), Exp - 1); Lemma_Mult_In_Range (Big (Result) * Big (Factor), Big (Factor) ** (Exp - 1), Big (Left) ** Right); Result := Result * Factor; end; end if; Lemma_Exp_Expand (Big (Factor), Exp); Exp := Exp / 2; exit when Exp = 0; Rest := Big (Factor) ** Exp; pragma Assert (Big (Result) * (Rest * Rest) = Big (Left) ** Right); declare pragma Unsuppress (Overflow_Check); begin Lemma_Mult_In_Range (Rest * Rest, Big (Result), Big (Left) ** Right); Lemma_Exp_In_Range (Big (Factor), Exp); Factor := Factor * Factor; end; pragma Assert (Big (Factor) ** Exp = Rest * Rest); end loop; pragma Assert (Big (Result) = Big (Left) ** Right); return Result; end Expon; ---------------------- -- Lemma_Exp_Expand -- ---------------------- procedure Lemma_Exp_Expand (A : Big_Integer; Exp : Natural) is begin if Exp rem 2 = 0 then pragma Assert (Exp = Exp / 2 + Exp / 2); else pragma Assert (Exp = Exp / 2 + Exp / 2 + 1); pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2 + 1)); pragma Assert (A ** (Exp / 2 + 1) = A ** (Exp / 2) * A); pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) * A); end if; end Lemma_Exp_Expand; ------------------------ -- Lemma_Exp_In_Range -- ------------------------ procedure Lemma_Exp_In_Range (A : Big_Integer; Exp : Positive) is begin if A /= 0 and Exp /= 1 then pragma Assert (A ** Exp = A * A ** (Exp - 1)); Lemma_Mult_In_Range (A * A, A ** (Exp - 1) * A ** (Exp - 1), A ** Exp * A ** Exp); end if; end Lemma_Exp_In_Range; ------------------------ -- Lemma_Exp_Positive -- ------------------------ procedure Lemma_Exp_Positive (A : Big_Integer; Exp : Natural) is begin if Exp = 0 then pragma Assert (A ** Exp = 1); else pragma Assert (Exp = 2 * (Exp / 2)); pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2)); pragma Assert (A ** Exp = (A ** (Exp / 2)) ** 2); Lemma_Exp_Not_Zero (A, Exp / 2); end if; end Lemma_Exp_Positive; end System.Expont;