------------------------------------------------------------------------------
--                                                                          --
--                         GNAT RUN-TIME COMPONENTS                         --
--                                                                          --
--                        S Y S T E M . E X P O N T                         --
--                                                                          --
--                                 B o d y                                  --
--                                                                          --
--          Copyright (C) 1992-2023, Free Software Foundation, Inc.         --
--                                                                          --
-- GNAT is free software;  you can  redistribute it  and/or modify it under --
-- terms of the  GNU General Public License as published  by the Free Soft- --
-- ware  Foundation;  either version 3,  or (at your option) any later ver- --
-- sion.  GNAT is distributed in the hope that it will be useful, but WITH- --
-- OUT ANY WARRANTY;  without even the  implied warranty of MERCHANTABILITY --
-- or FITNESS FOR A PARTICULAR PURPOSE.                                     --
--                                                                          --
-- As a special exception under Section 7 of GPL version 3, you are granted --
-- additional permissions described in the GCC Runtime Library Exception,   --
-- version 3.1, as published by the Free Software Foundation.               --
--                                                                          --
-- You should have received a copy of the GNU General Public License and    --
-- a copy of the GCC Runtime Library Exception along with this program;     --
-- see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see    --
-- <http://www.gnu.org/licenses/>.                                          --
--                                                                          --
-- GNAT was originally developed  by the GNAT team at  New York University. --
-- Extensive contributions were provided by Ada Core Technologies Inc.      --
--                                                                          --
------------------------------------------------------------------------------

package body System.Expont
  with SPARK_Mode
is

   --  Preconditions, postconditions, ghost code, loop invariants and
   --  assertions in this unit are meant for analysis only, not for run-time
   --  checking, as it would be too costly otherwise. This is enforced by
   --  setting the assertion policy to Ignore.

   pragma Assertion_Policy (Pre            => Ignore,
                            Post           => Ignore,
                            Ghost          => Ignore,
                            Loop_Invariant => Ignore,
                            Assert         => Ignore);

   --  Local lemmas

   procedure Lemma_Exp_Expand (A : Big_Integer; Exp : Natural)
   with
     Ghost,
     Pre  => A /= 0,
     Post =>
       (if Exp rem 2 = 0 then
          A ** Exp = A ** (Exp / 2) * A ** (Exp / 2)
        else
          A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) * A);

   procedure Lemma_Exp_In_Range (A : Big_Integer; Exp : Positive)
   with
     Ghost,
     Pre  => In_Int_Range (A ** Exp * A ** Exp),
     Post => In_Int_Range (A * A);

   procedure Lemma_Exp_Not_Zero (A : Big_Integer; Exp : Natural)
   with
     Ghost,
     Pre  => A /= 0,
     Post => A ** Exp /= 0;

   procedure Lemma_Exp_Positive (A : Big_Integer; Exp : Natural)
   with
     Ghost,
     Pre  => A /= 0
       and then Exp rem 2 = 0,
     Post => A ** Exp > 0;

   procedure Lemma_Mult_In_Range (X, Y, Z : Big_Integer)
   with
     Ghost,
     Pre  => Y /= 0
       and then not (X = -Big (Int'First) and Y = -1)
       and then X * Y = Z
       and then In_Int_Range (Z),
     Post => In_Int_Range (X);

   -----------------------------
   -- Local lemma null bodies --
   -----------------------------

   procedure Lemma_Exp_Not_Zero (A : Big_Integer; Exp : Natural) is null;
   procedure Lemma_Mult_In_Range (X, Y, Z : Big_Integer) is null;

   -----------
   -- Expon --
   -----------

   function Expon (Left : Int; Right : Natural) return Int is

      --  Note that negative exponents get a constraint error because the
      --  subtype of the Right argument (the exponent) is Natural.

      Result : Int     := 1;
      Factor : Int     := Left;
      Exp    : Natural := Right;

      Rest : Big_Integer with Ghost;
      --  Ghost variable to hold Factor**Exp between Exp and Factor updates

   begin
      --  We use the standard logarithmic approach, Exp gets shifted right
      --  testing successive low order bits and Factor is the value of the
      --  base raised to the next power of 2.

      --  Note: for compilation only, it is not worth special casing base
      --  values -1, 0, +1 since the expander does this when the base is a
      --  literal, and other cases will be extremely rare. But for proof,
      --  special casing zero in both positions makes ghost code and lemmas
      --  simpler, so we do it.

      if Right = 0 then
         return 1;
      elsif Left = 0 then
         return 0;
      end if;

      loop
         pragma Loop_Invariant (Exp > 0);
         pragma Loop_Invariant (Factor /= 0);
         pragma Loop_Invariant
           (Big (Result) * Big (Factor) ** Exp = Big (Left) ** Right);
         pragma Loop_Variant (Decreases => Exp);

         if Exp rem 2 /= 0 then
            declare
               pragma Unsuppress (Overflow_Check);
            begin
               pragma Assert
                 (Big (Factor) ** Exp
                  = Big (Factor) * Big (Factor) ** (Exp - 1));
               Lemma_Exp_Positive (Big (Factor), Exp - 1);
               Lemma_Mult_In_Range (Big (Result) * Big (Factor),
                                    Big (Factor) ** (Exp - 1),
                                    Big (Left) ** Right);

               Result := Result * Factor;
            end;
         end if;

         Lemma_Exp_Expand (Big (Factor), Exp);

         Exp := Exp / 2;
         exit when Exp = 0;

         Rest := Big (Factor) ** Exp;
         pragma Assert
           (Big (Result) * (Rest * Rest) = Big (Left) ** Right);

         declare
            pragma Unsuppress (Overflow_Check);
         begin
            Lemma_Mult_In_Range (Rest * Rest,
                                 Big (Result),
                                 Big (Left) ** Right);
            Lemma_Exp_In_Range (Big (Factor), Exp);

            Factor := Factor * Factor;
         end;

         pragma Assert (Big (Factor) ** Exp = Rest * Rest);
      end loop;

      pragma Assert (Big (Result) = Big (Left) ** Right);

      return Result;
   end Expon;

   ----------------------
   -- Lemma_Exp_Expand --
   ----------------------

   procedure Lemma_Exp_Expand (A : Big_Integer; Exp : Natural) is
   begin
      if Exp rem 2 = 0 then
         pragma Assert (Exp = Exp / 2 + Exp / 2);
      else
         pragma Assert (Exp = Exp / 2 + Exp / 2 + 1);
         pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2 + 1));
         pragma Assert (A ** (Exp / 2 + 1) = A ** (Exp / 2) * A);
         pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) * A);
      end if;
   end Lemma_Exp_Expand;

   ------------------------
   -- Lemma_Exp_In_Range --
   ------------------------

   procedure Lemma_Exp_In_Range (A : Big_Integer; Exp : Positive) is
   begin
      if A /= 0 and Exp /= 1 then
         pragma Assert (A ** Exp = A * A ** (Exp - 1));
         Lemma_Mult_In_Range
           (A * A, A ** (Exp - 1) * A ** (Exp - 1), A ** Exp * A ** Exp);
      end if;
   end Lemma_Exp_In_Range;

   ------------------------
   -- Lemma_Exp_Positive --
   ------------------------

   procedure Lemma_Exp_Positive (A : Big_Integer; Exp : Natural) is
   begin
      if Exp = 0 then
         pragma Assert (A ** Exp = 1);
      else
         pragma Assert (Exp = 2 * (Exp / 2));
         pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2));
         pragma Assert (A ** Exp = (A ** (Exp / 2)) ** 2);
         Lemma_Exp_Not_Zero (A, Exp / 2);
      end if;
   end Lemma_Exp_Positive;

end System.Expont;