Can'；在Ada Spark中不能证明看似微不足道的等式_Ada

Can'；在Ada Spark中不能证明看似微不足道的等式

ada

Can'；在Ada Spark中不能证明看似微不足道的等式,ada,Ada,所以我有这两个文件测试广告 package Testing with SPARK_Mode is function InefficientEuler1Sum2 (N: Natural) return Natural; procedure LemmaForTesting with Ghost, Post => (InefficientEuler1Sum2(0) = 0); end Testing; 和测试.adb package body Te

所以我有这两个文件

测试广告

package Testing with
   SPARK_Mode
is

   function InefficientEuler1Sum2 (N: Natural) return Natural;

   procedure LemmaForTesting with
     Ghost,
     Post => (InefficientEuler1Sum2(0) = 0);

end Testing;

和测试.adb

package body Testing with
   SPARK_Mode
is

   function InefficientEuler1Sum2 (N: Natural) return Natural is
      Sum: Natural := 0;
   begin
      for I in 0..N loop
         if I mod 3 = 0 then
            Sum := Sum + I;
         end if;
         if I mod 5 = 0 then
            Sum := Sum + I;
         end if;
         if I mod 15 = 0 then
            Sum := Sum - I;
         end if;
      end loop;
      return Sum;
   end InefficientEuler1Sum2;

   procedure LemmaForTesting
   is
   begin
      null;
   end LemmaForTesting;

end Testing;

当我运行SPARK->Prove文件时，会收到这样的消息：

GNATprove
    E:\Ada\Testing SPARK\search\src\testing.ads
        10:14 medium: postcondition might fail
           cannot prove InefficientEuler1Sum2(0) = 0

为什么会这样？我误解了什么或者做错了什么？

提前感谢。

要证明这个微不足道的等式，您需要确保它包含在函数的post条件中。如果是这样，您可以使用一个简单的

Assert

语句来证明等式，如下例所示。此时不需要引理

但是，post条件不足以证明不存在运行时错误（AoRTE）：给定函数的允许输入范围，对于某些值

，求和可能会溢出。为了缓解这个问题，您需要绑定

的输入值，并向验证程序显示

Sum

的值在使用循环不变量的循环过程中保持有界（请参阅，以及有关循环不变量的一些背景信息）。出于说明目的，我选择了

（2*I）*I

的保守界，这将严格限制输入值的允许范围，但允许验证程序证明示例中没有运行时错误

测试。广告

package Testing with SPARK_Mode is

   --  Using the loop variant in the function body, one can guarantee that no
   --  overflow will occur for all values of N in the range 
   --
   --     0 .. Sqrt (Natural'Last / 2)   <=>   0 .. 32767
   --
   --  Of course, this bound is quite conservative, but it may be enough for a
   --  given application.
   --
   --  The post-condition can be used to prove the trivial equality as stated
   --  in your question.
   
   subtype Domain is Natural range 0 .. 32767;
   
   function Inefficient_Euler_1_Sum_2 (N : Domain) return Natural
     with Post => (if N = 0 then Inefficient_Euler_1_Sum_2'Result = 0);

end Testing;

输出

$ gnatprove -Pdefault.gpr -j0 --level=1 --report=all
Phase 1 of 2: generation of Global contracts ...
Phase 2 of 2: flow analysis and proof ...
main.adb:5:19: info: assertion proved
testing.adb:13:15: info: division check proved
testing.adb:14:24: info: overflow check proved
testing.adb:16:15: info: division check proved
testing.adb:17:24: info: overflow check proved
testing.adb:19:15: info: division check proved
testing.adb:20:24: info: overflow check proved
testing.adb:20:24: info: range check proved
testing.adb:23:33: info: loop invariant preservation proved
testing.adb:23:33: info: loop invariant initialization proved
testing.adb:23:42: info: overflow check proved
testing.adb:23:46: info: overflow check proved
testing.ads:17:19: info: postcondition proved
Summary logged in /obj/gnatprove/gnatprove.out

with Testing; use Testing;

procedure Main with SPARK_Mode is
begin
   pragma Assert (Inefficient_Euler_1_Sum_2 (0) = 0);   
end Main;

$ gnatprove -Pdefault.gpr -j0 --level=1 --report=all
Phase 1 of 2: generation of Global contracts ...
Phase 2 of 2: flow analysis and proof ...
main.adb:5:19: info: assertion proved
testing.adb:13:15: info: division check proved
testing.adb:14:24: info: overflow check proved
testing.adb:16:15: info: division check proved
testing.adb:17:24: info: overflow check proved
testing.adb:19:15: info: division check proved
testing.adb:20:24: info: overflow check proved
testing.adb:20:24: info: range check proved
testing.adb:23:33: info: loop invariant preservation proved
testing.adb:23:33: info: loop invariant initialization proved
testing.adb:23:42: info: overflow check proved
testing.adb:23:46: info: overflow check proved
testing.ads:17:19: info: postcondition proved
Summary logged in /obj/gnatprove/gnatprove.out