------------------------------------------------------------------------------ | |

-- -- | |

-- GNAT RUN-TIME COMPONENTS -- | |

-- -- | |

-- S Y S T E M . E X P O N T -- | |

-- -- | |

-- B o d y -- | |

-- -- | |

-- Copyright (C) 1992-2022, Free Software Foundation, Inc. -- | |

-- -- | |

-- GNAT is free software; you can redistribute it and/or modify it under -- | |

-- terms of the GNU General Public License as published by the Free Soft- -- | |

-- ware Foundation; either version 3, or (at your option) any later ver- -- | |

-- sion. GNAT is distributed in the hope that it will be useful, but WITH- -- | |

-- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -- | |

-- or FITNESS FOR A PARTICULAR PURPOSE. -- | |

-- -- | |

-- As a special exception under Section 7 of GPL version 3, you are granted -- | |

-- additional permissions described in the GCC Runtime Library Exception, -- | |

-- version 3.1, as published by the Free Software Foundation. -- | |

-- -- | |

-- You should have received a copy of the GNU General Public License and -- | |

-- a copy of the GCC Runtime Library Exception along with this program; -- | |

-- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see -- | |

-- <http://www.gnu.org/licenses/>. -- | |

-- -- | |

-- GNAT was originally developed by the GNAT team at New York University. -- | |

-- Extensive contributions were provided by Ada Core Technologies Inc. -- | |

-- -- | |

------------------------------------------------------------------------------ | |

package body System.Expont | |

with SPARK_Mode | |

is | |

-- Preconditions, postconditions, ghost code, loop invariants and | |

-- assertions in this unit are meant for analysis only, not for run-time | |

-- checking, as it would be too costly otherwise. This is enforced by | |

-- setting the assertion policy to Ignore. | |

pragma Assertion_Policy (Pre => Ignore, | |

Post => Ignore, | |

Ghost => Ignore, | |

Loop_Invariant => Ignore, | |

Assert => Ignore); | |

-- Local lemmas | |

procedure Lemma_Exp_Expand (A : Big_Integer; Exp : Natural) | |

with | |

Ghost, | |

Pre => A /= 0, | |

Post => | |

(if Exp rem 2 = 0 then | |

A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) | |

else | |

A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) * A); | |

procedure Lemma_Exp_In_Range (A : Big_Integer; Exp : Positive) | |

with | |

Ghost, | |

Pre => In_Int_Range (A ** Exp * A ** Exp), | |

Post => In_Int_Range (A * A); | |

procedure Lemma_Exp_Not_Zero (A : Big_Integer; Exp : Natural) | |

with | |

Ghost, | |

Pre => A /= 0, | |

Post => A ** Exp /= 0; | |

procedure Lemma_Exp_Positive (A : Big_Integer; Exp : Natural) | |

with | |

Ghost, | |

Pre => A /= 0 | |

and then Exp rem 2 = 0, | |

Post => A ** Exp > 0; | |

procedure Lemma_Mult_In_Range (X, Y, Z : Big_Integer) | |

with | |

Ghost, | |

Pre => Y /= 0 | |

and then not (X = -Big (Int'First) and Y = -1) | |

and then X * Y = Z | |

and then In_Int_Range (Z), | |

Post => In_Int_Range (X); | |

----------------------------- | |

-- Local lemma null bodies -- | |

----------------------------- | |

procedure Lemma_Exp_Not_Zero (A : Big_Integer; Exp : Natural) is null; | |

procedure Lemma_Mult_In_Range (X, Y, Z : Big_Integer) is null; | |

----------- | |

-- Expon -- | |

----------- | |

function Expon (Left : Int; Right : Natural) return Int is | |

-- Note that negative exponents get a constraint error because the | |

-- subtype of the Right argument (the exponent) is Natural. | |

Result : Int := 1; | |

Factor : Int := Left; | |

Exp : Natural := Right; | |

Rest : Big_Integer with Ghost; | |

-- Ghost variable to hold Factor**Exp between Exp and Factor updates | |

begin | |

-- We use the standard logarithmic approach, Exp gets shifted right | |

-- testing successive low order bits and Factor is the value of the | |

-- base raised to the next power of 2. | |

-- Note: for compilation only, it is not worth special casing base | |

-- values -1, 0, +1 since the expander does this when the base is a | |

-- literal, and other cases will be extremely rare. But for proof, | |

-- special casing zero in both positions makes ghost code and lemmas | |

-- simpler, so we do it. | |

if Right = 0 then | |

return 1; | |

elsif Left = 0 then | |

return 0; | |

end if; | |

loop | |

pragma Loop_Invariant (Exp > 0); | |

pragma Loop_Invariant (Factor /= 0); | |

pragma Loop_Invariant | |

(Big (Result) * Big (Factor) ** Exp = Big (Left) ** Right); | |

pragma Loop_Variant (Decreases => Exp); | |

if Exp rem 2 /= 0 then | |

declare | |

pragma Unsuppress (Overflow_Check); | |

begin | |

pragma Assert | |

(Big (Factor) ** Exp | |

= Big (Factor) * Big (Factor) ** (Exp - 1)); | |

Lemma_Exp_Positive (Big (Factor), Exp - 1); | |

Lemma_Mult_In_Range (Big (Result) * Big (Factor), | |

Big (Factor) ** (Exp - 1), | |

Big (Left) ** Right); | |

Result := Result * Factor; | |

end; | |

end if; | |

Lemma_Exp_Expand (Big (Factor), Exp); | |

Exp := Exp / 2; | |

exit when Exp = 0; | |

Rest := Big (Factor) ** Exp; | |

pragma Assert | |

(Big (Result) * (Rest * Rest) = Big (Left) ** Right); | |

declare | |

pragma Unsuppress (Overflow_Check); | |

begin | |

Lemma_Mult_In_Range (Rest * Rest, | |

Big (Result), | |

Big (Left) ** Right); | |

Lemma_Exp_In_Range (Big (Factor), Exp); | |

Factor := Factor * Factor; | |

end; | |

pragma Assert (Big (Factor) ** Exp = Rest * Rest); | |

end loop; | |

pragma Assert (Big (Result) = Big (Left) ** Right); | |

return Result; | |

end Expon; | |

---------------------- | |

-- Lemma_Exp_Expand -- | |

---------------------- | |

procedure Lemma_Exp_Expand (A : Big_Integer; Exp : Natural) is | |

begin | |

if Exp rem 2 = 0 then | |

pragma Assert (Exp = Exp / 2 + Exp / 2); | |

else | |

pragma Assert (Exp = Exp / 2 + Exp / 2 + 1); | |

pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2 + 1)); | |

pragma Assert (A ** (Exp / 2 + 1) = A ** (Exp / 2) * A); | |

pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2) * A); | |

end if; | |

end Lemma_Exp_Expand; | |

------------------------ | |

-- Lemma_Exp_In_Range -- | |

------------------------ | |

procedure Lemma_Exp_In_Range (A : Big_Integer; Exp : Positive) is | |

begin | |

if A /= 0 and Exp /= 1 then | |

pragma Assert (A ** Exp = A * A ** (Exp - 1)); | |

Lemma_Mult_In_Range | |

(A * A, A ** (Exp - 1) * A ** (Exp - 1), A ** Exp * A ** Exp); | |

end if; | |

end Lemma_Exp_In_Range; | |

------------------------ | |

-- Lemma_Exp_Positive -- | |

------------------------ | |

procedure Lemma_Exp_Positive (A : Big_Integer; Exp : Natural) is | |

begin | |

if Exp = 0 then | |

pragma Assert (A ** Exp = 1); | |

else | |

pragma Assert (Exp = 2 * (Exp / 2)); | |

pragma Assert (A ** Exp = A ** (Exp / 2) * A ** (Exp / 2)); | |

pragma Assert (A ** Exp = (A ** (Exp / 2)) ** 2); | |

Lemma_Exp_Not_Zero (A, Exp / 2); | |

end if; | |

end Lemma_Exp_Positive; | |

end System.Expont; |