[Ada] Further adapt proof of double arithmetic runtime unit

After changes in Why3 and generation of VCs, ghost code needs to be adapted for proofs to remain automatic. gcc/ada/ * libgnat/s-aridou.adb (Lemma_Abs_Range, Lemma_Double_Shift_Left, Lemma_Shift_Left): New lemmas. (Double_Divide): Add ghost code. (Lemma_Concat_Definition, Lemma_Double_Shift_Left, Lemma_Shift_Left, Lemma_Shift_Right): Define or complete lemmas. (Scaled_Divide): Add ghost code.
author: Yannick Moy <moy@adacore.com> 2022-04-11 15:56:01 +0000
committer: Pierre-Marie de Rodat <derodat@adacore.com> 2022-05-19 14:05:29 +0000
commit: 054cf924ac00a47301a1c49f6433f70775fe1c0d (patch)
tree: c4b9ea9836b00503a8617c66309c39cdedddfecc /gcc
parent: [Ada] Improve optimization of "=" on bit-packed arrays (diff)
download: gcc-054cf924ac00a47301a1c49f6433f70775fe1c0d.tar.gz
gcc-054cf924ac00a47301a1c49f6433f70775fe1c0d.tar.bz2
gcc-054cf924ac00a47301a1c49f6433f70775fe1c0d.tar.xz
1 files changed, 171 insertions, 4 deletions
diff --git a/gcc/ada/libgnat/s-aridou.adb b/gcc/ada/libgnat/s-aridou.adb
index e2afd524ec4..d2149681dbe 100644
--- a/gcc/ada/libgnat/s-aridou.adb
+++ b/gcc/ada/libgnat/s-aridou.adb
@@ -208,6 +208,13 @@ is
     Ghost,
     Post => abs (X * Y) = abs X * abs Y;
+   procedure Lemma_Abs_Range (X : Big_Integer)
+   with
+     Ghost,
+     Pre  => In_Double_Int_Range (X),
+     Post => abs (X) <= Big_2xxDouble_Minus_1
+       and then In_Double_Int_Range (-abs (X));
   procedure Lemma_Abs_Rem_Commutation (X, Y : Big_Integer)
   with
     Ghost,
@@ -306,6 +313,20 @@ is
     Pre  => S <= Double_Size - S1,
     Post => Shift_Left (Shift_Left (X, S), S1) = Shift_Left (X, S + S1);
+   procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Double_Uns)
+   with
+     Ghost,
+     Pre  => S <= Double_Uns (Double_Size)
+       and then S1 <= Double_Uns (Double_Size),
+     Post => Shift_Left (Shift_Left (X, Natural (S)), Natural (S1)) =
+             Shift_Left (X, Natural (S + S1));
+   procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Natural)
+   with
+     Ghost,
+     Pre  => S <= Double_Size - S1,
+     Post => Shift_Left (Shift_Left (X, S), S1) = Shift_Left (X, S + S1);
   procedure Lemma_Double_Shift_Right (X : Double_Uns; S, S1 : Double_Uns)
   with
     Ghost,
@@ -505,6 +526,13 @@ is
     Pre  => A = B * Q + R and then R < B,
     Post => Q = A / B and then R = A rem B;
+   procedure Lemma_Shift_Left (X : Double_Uns; Shift : Natural)
+   with
+     Ghost,
+     Pre  => Shift < Double_Size
+       and then Big (X) * Big_2xx (Shift) < Big_2xxDouble,
+     Post => Big (Shift_Left (X, Shift)) = Big (X) * Big_2xx (Shift);
   procedure Lemma_Shift_Right (X : Double_Uns; Shift : Natural)
   with
     Ghost,
@@ -560,10 +588,10 @@ is
   procedure Inline_Le3 (X1, X2, X3, Y1, Y2, Y3 : Single_Uns) is null;
   procedure Lemma_Abs_Commutation (X : Double_Int) is null;
   procedure Lemma_Abs_Mult_Commutation (X, Y : Big_Integer) is null;
+   procedure Lemma_Abs_Range (X : Big_Integer) is null;
   procedure Lemma_Add_Commutation (X : Double_Uns; Y : Single_Uns) is null;
   procedure Lemma_Add_One (X : Double_Uns) is null;
   procedure Lemma_Bounded_Powers_Of_2_Increasing (M, N : Natural) is null;
-   procedure Lemma_Concat_Definition (X, Y : Single_Uns) is null;
   procedure Lemma_Deep_Mult_Commutation
     (Factor : Big_Integer;
      X, Y   : Single_Uns)
@@ -581,6 +609,8 @@ is
   procedure Lemma_Double_Big_2xxSingle is null;
   procedure Lemma_Double_Shift (X : Double_Uns; S, S1 : Double_Uns) is null;
   procedure Lemma_Double_Shift (X : Single_Uns; S, S1 : Natural) is null;
+   procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Double_Uns)
+   is null;
   procedure Lemma_Double_Shift_Right (X : Double_Uns; S, S1 : Double_Uns)
   is null;
   procedure Lemma_Ge_Commutation (A, B : Double_Uns) is null;
@@ -949,6 +979,7 @@ is
                  pragma Assert (if X = Double_Int'First and then Round then
                                    Mult > Big_2xxDouble);
               elsif Ylo > 0 then
+                  pragma Assert (Double_Uns'(Ylo * Zhi) > 0);
                  pragma Assert (Big (Double_Uns'(Ylo * Zhi)) > 0);
                  pragma Assert (if X = Double_Int'First and then Round then
                                    Mult > Big_2xxDouble);
@@ -1024,15 +1055,24 @@ is
            pragma Assert (Big (Double_Uns (Hi (T2))) >= 1);
            pragma Assert (Big (Double_Uns (Lo (T2))) >= 0);
            pragma Assert (Big (Double_Uns (Lo (T1))) >= 0);
+            pragma Assert (Mult >= Big_2xxDouble * Big (Double_Uns (Hi (T2))));
            pragma Assert (Mult >= Big_2xxDouble);
            if Hi (T2) > 1 then
               pragma Assert (Big (Double_Uns (Hi (T2))) > 1);
+               pragma Assert (if X = Double_Int'First and then Round then
+                                 Mult > Big_2xxDouble);
            elsif Lo (T2) > 0 then
               pragma Assert (Big (Double_Uns (Lo (T2))) > 0);
+               pragma Assert (if X = Double_Int'First and then Round then
+                                 Mult > Big_2xxDouble);
            elsif Lo (T1) > 0 then
               pragma Assert (Double_Uns (Lo (T1)) > 0);
               Lemma_Gt_Commutation (Double_Uns (Lo (T1)), 0);
               pragma Assert (Big (Double_Uns (Lo (T1))) > 0);
+               pragma Assert (if X = Double_Int'First and then Round then
+                                 Mult > Big_2xxDouble);
+            else
+               pragma Assert (not (X = Double_Int'First and then Round));
            end if;
            Prove_Quotient_Zero;
         end if;
@@ -1172,6 +1212,18 @@ is
      end if;
   end Lemma_Abs_Rem_Commutation;
+   -----------------------------
+   -- Lemma_Concat_Definition --
+   -----------------------------
+   procedure Lemma_Concat_Definition (X, Y : Single_Uns) is
+      Hi : constant Double_Uns := Shift_Left (Double_Uns (X), Single_Size);
+      Lo : constant Double_Uns := Double_Uns (Y);
+   begin
+      pragma Assert (Hi = Double_Uns'(2 ** Single_Size) * Double_Uns (X));
+      pragma Assert ((Hi or Lo) = Hi + Lo);
+   end Lemma_Concat_Definition;
   ------------------------
   -- Lemma_Double_Shift --
   ------------------------
@@ -1185,6 +1237,19 @@ is
        = Shift_Left (X, Natural (Double_Uns (S + S1))));
   end Lemma_Double_Shift;
+   -----------------------------
+   -- Lemma_Double_Shift_Left --
+   -----------------------------
+   procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Natural) is
+   begin
+      Lemma_Double_Shift_Left (X, Double_Uns (S), Double_Uns (S1));
+      pragma Assert (Shift_Left (Shift_Left (X, S), S1)
+        = Shift_Left (Shift_Left (X, S), Natural (Double_Uns (S1))));
+      pragma Assert (Shift_Left (X, S + S1)
+        = Shift_Left (X, Natural (Double_Uns (S + S1))));
+   end Lemma_Double_Shift_Left;
   ------------------------------
   -- Lemma_Double_Shift_Right --
   ------------------------------
@@ -1328,15 +1393,78 @@ is
      Lemma_Neg_Rem (X, Y);
   end Lemma_Rem_Abs;
+   ----------------------
+   -- Lemma_Shift_Left --
+   ----------------------
+   procedure Lemma_Shift_Left (X : Double_Uns; Shift : Natural) is
+      procedure Lemma_Mult_Pow2 (X : Double_Uns; I : Natural)
+      with
+        Ghost,
+        Pre  => I < Double_Size - 1,
+        Post => X * Double_Uns'(2) ** I * Double_Uns'(2)
+          = X * Double_Uns'(2) ** (I + 1);
+      procedure Lemma_Mult_Pow2 (X : Double_Uns; I : Natural) is
+         Mul1 : constant Double_Uns := Double_Uns'(2) ** I;
+         Mul2 : constant Double_Uns := Double_Uns'(2);
+         Left : constant Double_Uns := X * Mul1 * Mul2;
+      begin
+         pragma Assert (Left = X * (Mul1 * Mul2));
+         pragma Assert (Mul1 * Mul2 = Double_Uns'(2) ** (I + 1));
+      end Lemma_Mult_Pow2;
+      XX : Double_Uns := X;
+   begin
+      for J in 1 .. Shift loop
+         declare
+            Cur_XX : constant Double_Uns := XX;
+         begin
+            XX := Shift_Left (XX, 1);
+            pragma Assert (XX = Cur_XX * Double_Uns'(2));
+            Lemma_Mult_Pow2 (X, J - 1);
+         end;
+         Lemma_Double_Shift_Left (X, J - 1, 1);
+         pragma Loop_Invariant (XX = Shift_Left (X, J));
+         pragma Loop_Invariant (XX = X * Double_Uns'(2) ** J);
+      end loop;
+   end Lemma_Shift_Left;
   -----------------------
   -- Lemma_Shift_Right --
   -----------------------
   procedure Lemma_Shift_Right (X : Double_Uns; Shift : Natural) is
+      procedure Lemma_Div_Pow2 (X : Double_Uns; I : Natural)
+      with
+        Ghost,
+        Pre  => I < Double_Size - 1,
+        Post => X / Double_Uns'(2) ** I / Double_Uns'(2)
+          = X / Double_Uns'(2) ** (I + 1);
+      procedure Lemma_Div_Pow2 (X : Double_Uns; I : Natural) is
+         Div1 : constant Double_Uns := Double_Uns'(2) ** I;
+         Div2 : constant Double_Uns := Double_Uns'(2);
+         Left : constant Double_Uns := X / Div1 / Div2;
+      begin
+         pragma Assert (Left = X / (Div1 * Div2));
+         pragma Assert (Div1 * Div2 = Double_Uns'(2) ** (I + 1));
+      end Lemma_Div_Pow2;
      XX : Double_Uns := X;
   begin
      for J in 1 .. Shift loop
-         XX := Shift_Right (XX, 1);
+         declare
+            Cur_XX : constant Double_Uns := XX;
+         begin
+            XX := Shift_Right (XX, 1);
+            pragma Assert (XX = Cur_XX / Double_Uns'(2));
+            Lemma_Div_Pow2 (X, J - 1);
+         end;
         Lemma_Double_Shift_Right (X, J - 1, 1);
         pragma Loop_Invariant (XX = Shift_Right (X, J));
         pragma Loop_Invariant (XX = X / Double_Uns'(2) ** J);
@@ -1607,6 +1735,7 @@ is
                             "Intentional Unsigned->Signed conversion");
         else
            Prove_Neg_Int;
+            Lemma_Abs_Range (Big (X) * Big (Y));
            return To_Neg_Int (T2);
         end if;
      else -- X < 0
@@ -1617,6 +1746,7 @@ is
                             "Intentional Unsigned->Signed conversion");
         else
            Prove_Neg_Int;
+            Lemma_Abs_Range (Big (X) * Big (Y));
            return To_Neg_Int (T2);
         end if;
      end if;
@@ -1901,6 +2031,9 @@ is
      procedure Prove_Dividend_Scaling is
      begin
+         Lemma_Shift_Left (D (1) & D (2), Scale);
+         Lemma_Shift_Left (Double_Uns (D (3)), Scale);
+         Lemma_Shift_Left (Double_Uns (D (4)), Scale);
         Lemma_Hi_Lo (D (1) & D (2), D (1), D (2));
         pragma Assert (Mult * Big_2xx (Scale) =
           Big_2xxSingle
@@ -2116,6 +2249,7 @@ is
         pragma Assert (Double_Uns (Lo (T1 rem Zlo)) = T1 rem Zlo);
         Lemma_Hi_Lo (T2, Lo (T1 rem Zlo), D (4));
         pragma Assert (T1 rem Zlo + Double_Uns'(1) <= Double_Uns (Zlo));
+         Lemma_Ge_Commutation (Double_Uns (Zlo), T1 rem Zlo + Double_Uns'(1));
         Lemma_Add_Commutation (T1 rem Zlo, 1);
         pragma Assert (Big (T1 rem Zlo) + 1 <= Big (Double_Uns (Zlo)));
         Lemma_Div_Definition (T2, Zlo, T2 / Zlo, Ru);
@@ -2567,6 +2701,21 @@ is
               elsif D (J) = Zhi then
                  Qd (J) := Single_Uns'Last;
+                  Lemma_Concat_Definition (D (J), D (J + 1));
+                  pragma Assert (Big_2xxSingle > Big (Double_Uns (D (J + 2))));
+                  pragma Assert (Big3 (D (J), D (J + 1), 0) + Big_2xxSingle
+                                 > Big3 (D (J), D (J + 1), D (J + 2)));
+                  pragma Assert (Big (Double_Uns'(0)) = 0);
+                  pragma Assert (Big (D (J) & D (J + 1)) * Big_2xxSingle =
+                    Big_2xxSingle * (Big_2xxSingle * Big (Double_Uns (D (J)))
+                                              + Big (Double_Uns (D (J + 1)))));
+                  pragma Assert (Big (D (J) & D (J + 1)) * Big_2xxSingle =
+                    Big_2xxSingle * Big_2xxSingle * Big (Double_Uns (D (J)))
+                               + Big_2xxSingle * Big (Double_Uns (D (J + 1))));
+                  pragma Assert (Big (D (J) & D (J + 1)) * Big_2xxSingle
+                                 = Big3 (D (J), D (J + 1), 0));
+                  pragma Assert ((Big (D (J) & D (J + 1)) + 1) * Big_2xxSingle
+                                 = Big3 (D (J), D (J + 1), 0) + Big_2xxSingle);
                  Lemma_Gt_Mult (Big (Zu), Big (D (J) & D (J + 1)) + 1,
                                 Big_2xxSingle,
                                 Big3 (D (J), D (J + 1), D (J + 2)));
@@ -2617,6 +2766,8 @@ is
                  pragma Loop_Invariant (Qd (J)'Initialized);
                  pragma Loop_Invariant
                    (Big3 (S1, S2, S3) = Big (Double_Uns (Qd (J))) * Big (Zu));
+                  pragma Loop_Invariant
+                    (Big3 (S1, S2, S3) > Big3 (D (J), D (J + 1), D (J + 2)));
                  pragma Assert (Big3 (S1, S2, S3) > 0);
                  if Qd (J) = 0 then
                     pragma Assert (Big3 (S1, S2, S3) = 0);
@@ -2632,6 +2783,9 @@ is
                    (Big3 (S1, S2, S3) >
                       Big3 (D (J), D (J + 1), D (J + 2)) - Big (Zu));
                  Lemma_Subtract_Commutation (Double_Uns (Qd (J)), 1);
+                  pragma Assert (Double_Uns (Qd (J)) - Double_Uns'(1)
+                                 = Double_Uns (Qd (J) - 1));
+                  pragma Assert (Big (Double_Uns'(1)) = 1);
                  Lemma_Substitution (Big3 (S1, S2, S3), Big (Zu),
                                      Big (Double_Uns (Qd (J))) - 1,
                                      Big (Double_Uns (Qd (J) - 1)), 0);
@@ -2660,8 +2814,7 @@ is
               pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) < Big (Zu));
               if D (J) > 0 then
-                  pragma Assert
+                  Lemma_Double_Big_2xxSingle;
-                    (Big_2xxSingle * Big_2xxSingle = Big_2xxDouble);
                  pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) =
                    Big_2xxSingle
                      * Big_2xxSingle * Big (Double_Uns (D (J)))
@@ -2671,9 +2824,22 @@ is
                    Big_2xxDouble * Big (Double_Uns (D (J)))
                  + Big_2xxSingle * Big (Double_Uns (D (J + 1)))
                                  + Big (Double_Uns (D (J + 2))));
+                  pragma Assert (Big_2xxSingle >= 0);
+                  pragma Assert (Big (Double_Uns (D (J + 1))) >= 0);
+                  pragma Assert
+                    (Big_2xxSingle * Big (Double_Uns (D (J + 1))) >= 0);
+                  pragma Assert
+                    (Big_2xxSingle * Big (Double_Uns (D (J + 1)))
+                                   + Big (Double_Uns (D (J + 2))) >= 0);
                  pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) >=
                                   Big_2xxDouble * Big (Double_Uns (D (J))));
                  Lemma_Ge_Commutation (Double_Uns (D (J)), Double_Uns'(1));
+                  Lemma_Ge_Mult (Big (Double_Uns (D (J))),
+                                 Big (Double_Uns'(1)),
+                                 Big_2xxDouble,
+                                 Big (Double_Uns'(1)) * Big_2xxDouble);
+                  pragma Assert
+                    (Big_2xxDouble * Big (Double_Uns'(1)) = Big_2xxDouble);
                  pragma Assert
                    (Big3 (D (J), D (J + 1), D (J + 2)) >= Big_2xxDouble);
                  pragma Assert (False);
@@ -3039,6 +3205,7 @@ is
            begin
               pragma Assert (Ru = Double_Uns (X) - Double_Uns (Y));
               if Ru < 2 ** (Double_Size - 1) then  --  R >= 0
+                  pragma Assert (To_Uns (Y) <= To_Uns (X));
                  Lemma_Subtract_Double_Uns (X => Y, Y => X);
                  pragma Assert (Ru = Double_Uns (X - Y));
author	Yannick Moy <moy@adacore.com>	2022-04-11 15:56:01 +0000
committer	Pierre-Marie de Rodat <derodat@adacore.com>	2022-05-19 14:05:29 +0000
commit	054cf924ac00a47301a1c49f6433f70775fe1c0d (patch)
tree	c4b9ea9836b00503a8617c66309c39cdedddfecc /gcc
parent	[Ada] Improve optimization of "=" on bit-packed arrays (diff)
download	gcc-054cf924ac00a47301a1c49f6433f70775fe1c0d.tar.gz gcc-054cf924ac00a47301a1c49f6433f70775fe1c0d.tar.bz2 gcc-054cf924ac00a47301a1c49f6433f70775fe1c0d.tar.xz

diff --git a/gcc/ada/libgnat/s-aridou.adb b/gcc/ada/libgnat/s-aridou.adb index e2afd524ec4..d2149681dbe 100644 --- a/gcc/ada/libgnat/s-aridou.adb +++ b/gcc/ada/libgnat/s-aridou.adb
@@ -208,6 +208,13 @@ is
208	Ghost,	208	Ghost,
209	Post => abs (X * Y) = abs X * abs Y;	209	Post => abs (X * Y) = abs X * abs Y;
210		210
		211	procedure Lemma_Abs_Range (X : Big_Integer)
		212	with
		213	Ghost,
		214	Pre => In_Double_Int_Range (X),
		215	Post => abs (X) <= Big_2xxDouble_Minus_1
		216	and then In_Double_Int_Range (-abs (X));
		217
211	procedure Lemma_Abs_Rem_Commutation (X, Y : Big_Integer)	218	procedure Lemma_Abs_Rem_Commutation (X, Y : Big_Integer)
212	with	219	with
213	Ghost,	220	Ghost,
@@ -306,6 +313,20 @@ is
306	Pre => S <= Double_Size - S1,	313	Pre => S <= Double_Size - S1,
307	Post => Shift_Left (Shift_Left (X, S), S1) = Shift_Left (X, S + S1);	314	Post => Shift_Left (Shift_Left (X, S), S1) = Shift_Left (X, S + S1);
308		315
		316	procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Double_Uns)
		317	with
		318	Ghost,
		319	Pre => S <= Double_Uns (Double_Size)
		320	and then S1 <= Double_Uns (Double_Size),
		321	Post => Shift_Left (Shift_Left (X, Natural (S)), Natural (S1)) =
		322	Shift_Left (X, Natural (S + S1));
		323
		324	procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Natural)
		325	with
		326	Ghost,
		327	Pre => S <= Double_Size - S1,
		328	Post => Shift_Left (Shift_Left (X, S), S1) = Shift_Left (X, S + S1);
		329
309	procedure Lemma_Double_Shift_Right (X : Double_Uns; S, S1 : Double_Uns)	330	procedure Lemma_Double_Shift_Right (X : Double_Uns; S, S1 : Double_Uns)
310	with	331	with
311	Ghost,	332	Ghost,
@@ -505,6 +526,13 @@ is
505	Pre => A = B * Q + R and then R < B,	526	Pre => A = B * Q + R and then R < B,
506	Post => Q = A / B and then R = A rem B;	527	Post => Q = A / B and then R = A rem B;
507		528
		529	procedure Lemma_Shift_Left (X : Double_Uns; Shift : Natural)
		530	with
		531	Ghost,
		532	Pre => Shift < Double_Size
		533	and then Big (X) * Big_2xx (Shift) < Big_2xxDouble,
		534	Post => Big (Shift_Left (X, Shift)) = Big (X) * Big_2xx (Shift);
		535
508	procedure Lemma_Shift_Right (X : Double_Uns; Shift : Natural)	536	procedure Lemma_Shift_Right (X : Double_Uns; Shift : Natural)
509	with	537	with
510	Ghost,	538	Ghost,
@@ -560,10 +588,10 @@ is
560	procedure Inline_Le3 (X1, X2, X3, Y1, Y2, Y3 : Single_Uns) is null;	588	procedure Inline_Le3 (X1, X2, X3, Y1, Y2, Y3 : Single_Uns) is null;
561	procedure Lemma_Abs_Commutation (X : Double_Int) is null;	589	procedure Lemma_Abs_Commutation (X : Double_Int) is null;
562	procedure Lemma_Abs_Mult_Commutation (X, Y : Big_Integer) is null;	590	procedure Lemma_Abs_Mult_Commutation (X, Y : Big_Integer) is null;
		591	procedure Lemma_Abs_Range (X : Big_Integer) is null;
563	procedure Lemma_Add_Commutation (X : Double_Uns; Y : Single_Uns) is null;	592	procedure Lemma_Add_Commutation (X : Double_Uns; Y : Single_Uns) is null;
564	procedure Lemma_Add_One (X : Double_Uns) is null;	593	procedure Lemma_Add_One (X : Double_Uns) is null;
565	procedure Lemma_Bounded_Powers_Of_2_Increasing (M, N : Natural) is null;	594	procedure Lemma_Bounded_Powers_Of_2_Increasing (M, N : Natural) is null;
566	procedure Lemma_Concat_Definition (X, Y : Single_Uns) is null;
567	procedure Lemma_Deep_Mult_Commutation	595	procedure Lemma_Deep_Mult_Commutation
568	(Factor : Big_Integer;	596	(Factor : Big_Integer;
569	X, Y : Single_Uns)	597	X, Y : Single_Uns)
@@ -581,6 +609,8 @@ is
581	procedure Lemma_Double_Big_2xxSingle is null;	609	procedure Lemma_Double_Big_2xxSingle is null;
582	procedure Lemma_Double_Shift (X : Double_Uns; S, S1 : Double_Uns) is null;	610	procedure Lemma_Double_Shift (X : Double_Uns; S, S1 : Double_Uns) is null;
583	procedure Lemma_Double_Shift (X : Single_Uns; S, S1 : Natural) is null;	611	procedure Lemma_Double_Shift (X : Single_Uns; S, S1 : Natural) is null;
		612	procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Double_Uns)
		613	is null;
584	procedure Lemma_Double_Shift_Right (X : Double_Uns; S, S1 : Double_Uns)	614	procedure Lemma_Double_Shift_Right (X : Double_Uns; S, S1 : Double_Uns)
585	is null;	615	is null;
586	procedure Lemma_Ge_Commutation (A, B : Double_Uns) is null;	616	procedure Lemma_Ge_Commutation (A, B : Double_Uns) is null;
@@ -949,6 +979,7 @@ is
949	pragma Assert (if X = Double_Int'First and then Round then	979	pragma Assert (if X = Double_Int'First and then Round then
950	Mult > Big_2xxDouble);	980	Mult > Big_2xxDouble);
951	elsif Ylo > 0 then	981	elsif Ylo > 0 then
		982	pragma Assert (Double_Uns'(Ylo * Zhi) > 0);
952	pragma Assert (Big (Double_Uns'(Ylo * Zhi)) > 0);	983	pragma Assert (Big (Double_Uns'(Ylo * Zhi)) > 0);
953	pragma Assert (if X = Double_Int'First and then Round then	984	pragma Assert (if X = Double_Int'First and then Round then
954	Mult > Big_2xxDouble);	985	Mult > Big_2xxDouble);
@@ -1024,15 +1055,24 @@ is
1024	pragma Assert (Big (Double_Uns (Hi (T2))) >= 1);	1055	pragma Assert (Big (Double_Uns (Hi (T2))) >= 1);
1025	pragma Assert (Big (Double_Uns (Lo (T2))) >= 0);	1056	pragma Assert (Big (Double_Uns (Lo (T2))) >= 0);
1026	pragma Assert (Big (Double_Uns (Lo (T1))) >= 0);	1057	pragma Assert (Big (Double_Uns (Lo (T1))) >= 0);
		1058	pragma Assert (Mult >= Big_2xxDouble * Big (Double_Uns (Hi (T2))));
1027	pragma Assert (Mult >= Big_2xxDouble);	1059	pragma Assert (Mult >= Big_2xxDouble);
1028	if Hi (T2) > 1 then	1060	if Hi (T2) > 1 then
1029	pragma Assert (Big (Double_Uns (Hi (T2))) > 1);	1061	pragma Assert (Big (Double_Uns (Hi (T2))) > 1);
		1062	pragma Assert (if X = Double_Int'First and then Round then
		1063	Mult > Big_2xxDouble);
1030	elsif Lo (T2) > 0 then	1064	elsif Lo (T2) > 0 then
1031	pragma Assert (Big (Double_Uns (Lo (T2))) > 0);	1065	pragma Assert (Big (Double_Uns (Lo (T2))) > 0);
		1066	pragma Assert (if X = Double_Int'First and then Round then
		1067	Mult > Big_2xxDouble);
1032	elsif Lo (T1) > 0 then	1068	elsif Lo (T1) > 0 then
1033	pragma Assert (Double_Uns (Lo (T1)) > 0);	1069	pragma Assert (Double_Uns (Lo (T1)) > 0);
1034	Lemma_Gt_Commutation (Double_Uns (Lo (T1)), 0);	1070	Lemma_Gt_Commutation (Double_Uns (Lo (T1)), 0);
1035	pragma Assert (Big (Double_Uns (Lo (T1))) > 0);	1071	pragma Assert (Big (Double_Uns (Lo (T1))) > 0);
		1072	pragma Assert (if X = Double_Int'First and then Round then
		1073	Mult > Big_2xxDouble);
		1074	else
		1075	pragma Assert (not (X = Double_Int'First and then Round));
1036	end if;	1076	end if;
1037	Prove_Quotient_Zero;	1077	Prove_Quotient_Zero;
1038	end if;	1078	end if;
@@ -1172,6 +1212,18 @@ is
1172	end if;	1212	end if;
1173	end Lemma_Abs_Rem_Commutation;	1213	end Lemma_Abs_Rem_Commutation;
1174		1214
		1215	-----------------------------
		1216	-- Lemma_Concat_Definition --
		1217	-----------------------------
		1218
		1219	procedure Lemma_Concat_Definition (X, Y : Single_Uns) is
		1220	Hi : constant Double_Uns := Shift_Left (Double_Uns (X), Single_Size);
		1221	Lo : constant Double_Uns := Double_Uns (Y);
		1222	begin
		1223	pragma Assert (Hi = Double_Uns'(2 ** Single_Size) * Double_Uns (X));
		1224	pragma Assert ((Hi or Lo) = Hi + Lo);
		1225	end Lemma_Concat_Definition;
		1226
1175	------------------------	1227	------------------------
1176	-- Lemma_Double_Shift --	1228	-- Lemma_Double_Shift --
1177	------------------------	1229	------------------------
@@ -1185,6 +1237,19 @@ is
1185	= Shift_Left (X, Natural (Double_Uns (S + S1))));	1237	= Shift_Left (X, Natural (Double_Uns (S + S1))));
1186	end Lemma_Double_Shift;	1238	end Lemma_Double_Shift;
1187		1239
		1240	-----------------------------
		1241	-- Lemma_Double_Shift_Left --
		1242	-----------------------------
		1243
		1244	procedure Lemma_Double_Shift_Left (X : Double_Uns; S, S1 : Natural) is
		1245	begin
		1246	Lemma_Double_Shift_Left (X, Double_Uns (S), Double_Uns (S1));
		1247	pragma Assert (Shift_Left (Shift_Left (X, S), S1)
		1248	= Shift_Left (Shift_Left (X, S), Natural (Double_Uns (S1))));
		1249	pragma Assert (Shift_Left (X, S + S1)
		1250	= Shift_Left (X, Natural (Double_Uns (S + S1))));
		1251	end Lemma_Double_Shift_Left;
		1252
1188	------------------------------	1253	------------------------------
1189	-- Lemma_Double_Shift_Right --	1254	-- Lemma_Double_Shift_Right --
1190	------------------------------	1255	------------------------------
@@ -1328,15 +1393,78 @@ is
1328	Lemma_Neg_Rem (X, Y);	1393	Lemma_Neg_Rem (X, Y);
1329	end Lemma_Rem_Abs;	1394	end Lemma_Rem_Abs;
1330		1395
		1396	----------------------
		1397	-- Lemma_Shift_Left --
		1398	----------------------
		1399
		1400	procedure Lemma_Shift_Left (X : Double_Uns; Shift : Natural) is
		1401
		1402	procedure Lemma_Mult_Pow2 (X : Double_Uns; I : Natural)
		1403	with
		1404	Ghost,
		1405	Pre => I < Double_Size - 1,
		1406	Post => X * Double_Uns'(2) ** I * Double_Uns'(2)
		1407	= X * Double_Uns'(2) ** (I + 1);
		1408
		1409	procedure Lemma_Mult_Pow2 (X : Double_Uns; I : Natural) is
		1410	Mul1 : constant Double_Uns := Double_Uns'(2) ** I;
		1411	Mul2 : constant Double_Uns := Double_Uns'(2);
		1412	Left : constant Double_Uns := X * Mul1 * Mul2;
		1413	begin
		1414	pragma Assert (Left = X * (Mul1 * Mul2));
		1415	pragma Assert (Mul1 * Mul2 = Double_Uns'(2) ** (I + 1));
		1416	end Lemma_Mult_Pow2;
		1417
		1418	XX : Double_Uns := X;
		1419
		1420	begin
		1421	for J in 1 .. Shift loop
		1422	declare
		1423	Cur_XX : constant Double_Uns := XX;
		1424	begin
		1425	XX := Shift_Left (XX, 1);
		1426	pragma Assert (XX = Cur_XX * Double_Uns'(2));
		1427	Lemma_Mult_Pow2 (X, J - 1);
		1428	end;
		1429	Lemma_Double_Shift_Left (X, J - 1, 1);
		1430	pragma Loop_Invariant (XX = Shift_Left (X, J));
		1431	pragma Loop_Invariant (XX = X * Double_Uns'(2) ** J);
		1432	end loop;
		1433	end Lemma_Shift_Left;
		1434
1331	-----------------------	1435	-----------------------
1332	-- Lemma_Shift_Right --	1436	-- Lemma_Shift_Right --
1333	-----------------------	1437	-----------------------
1334		1438
1335	procedure Lemma_Shift_Right (X : Double_Uns; Shift : Natural) is	1439	procedure Lemma_Shift_Right (X : Double_Uns; Shift : Natural) is
		1440
		1441	procedure Lemma_Div_Pow2 (X : Double_Uns; I : Natural)
		1442	with
		1443	Ghost,
		1444	Pre => I < Double_Size - 1,
		1445	Post => X / Double_Uns'(2) ** I / Double_Uns'(2)
		1446	= X / Double_Uns'(2) ** (I + 1);
		1447
		1448	procedure Lemma_Div_Pow2 (X : Double_Uns; I : Natural) is
		1449	Div1 : constant Double_Uns := Double_Uns'(2) ** I;
		1450	Div2 : constant Double_Uns := Double_Uns'(2);
		1451	Left : constant Double_Uns := X / Div1 / Div2;
		1452	begin
		1453	pragma Assert (Left = X / (Div1 * Div2));
		1454	pragma Assert (Div1 * Div2 = Double_Uns'(2) ** (I + 1));
		1455	end Lemma_Div_Pow2;
		1456
1336	XX : Double_Uns := X;	1457	XX : Double_Uns := X;
		1458
1337	begin	1459	begin
1338	for J in 1 .. Shift loop	1460	for J in 1 .. Shift loop
1339	XX := Shift_Right (XX, 1);	1461	declare
		1462	Cur_XX : constant Double_Uns := XX;
		1463	begin
		1464	XX := Shift_Right (XX, 1);
		1465	pragma Assert (XX = Cur_XX / Double_Uns'(2));
		1466	Lemma_Div_Pow2 (X, J - 1);
		1467	end;
1340	Lemma_Double_Shift_Right (X, J - 1, 1);	1468	Lemma_Double_Shift_Right (X, J - 1, 1);
1341	pragma Loop_Invariant (XX = Shift_Right (X, J));	1469	pragma Loop_Invariant (XX = Shift_Right (X, J));
1342	pragma Loop_Invariant (XX = X / Double_Uns'(2) ** J);	1470	pragma Loop_Invariant (XX = X / Double_Uns'(2) ** J);
@@ -1607,6 +1735,7 @@ is
1607	"Intentional Unsigned->Signed conversion");	1735	"Intentional Unsigned->Signed conversion");
1608	else	1736	else
1609	Prove_Neg_Int;	1737	Prove_Neg_Int;
		1738	Lemma_Abs_Range (Big (X) * Big (Y));
1610	return To_Neg_Int (T2);	1739	return To_Neg_Int (T2);
1611	end if;	1740	end if;
1612	else -- X < 0	1741	else -- X < 0
@@ -1617,6 +1746,7 @@ is
1617	"Intentional Unsigned->Signed conversion");	1746	"Intentional Unsigned->Signed conversion");
1618	else	1747	else
1619	Prove_Neg_Int;	1748	Prove_Neg_Int;
		1749	Lemma_Abs_Range (Big (X) * Big (Y));
1620	return To_Neg_Int (T2);	1750	return To_Neg_Int (T2);
1621	end if;	1751	end if;
1622	end if;	1752	end if;
@@ -1901,6 +2031,9 @@ is
1901		2031
1902	procedure Prove_Dividend_Scaling is	2032	procedure Prove_Dividend_Scaling is
1903	begin	2033	begin
		2034	Lemma_Shift_Left (D (1) & D (2), Scale);
		2035	Lemma_Shift_Left (Double_Uns (D (3)), Scale);
		2036	Lemma_Shift_Left (Double_Uns (D (4)), Scale);
1904	Lemma_Hi_Lo (D (1) & D (2), D (1), D (2));	2037	Lemma_Hi_Lo (D (1) & D (2), D (1), D (2));
1905	pragma Assert (Mult * Big_2xx (Scale) =	2038	pragma Assert (Mult * Big_2xx (Scale) =
1906	Big_2xxSingle	2039	Big_2xxSingle
@@ -2116,6 +2249,7 @@ is
2116	pragma Assert (Double_Uns (Lo (T1 rem Zlo)) = T1 rem Zlo);	2249	pragma Assert (Double_Uns (Lo (T1 rem Zlo)) = T1 rem Zlo);
2117	Lemma_Hi_Lo (T2, Lo (T1 rem Zlo), D (4));	2250	Lemma_Hi_Lo (T2, Lo (T1 rem Zlo), D (4));
2118	pragma Assert (T1 rem Zlo + Double_Uns'(1) <= Double_Uns (Zlo));	2251	pragma Assert (T1 rem Zlo + Double_Uns'(1) <= Double_Uns (Zlo));
		2252	Lemma_Ge_Commutation (Double_Uns (Zlo), T1 rem Zlo + Double_Uns'(1));
2119	Lemma_Add_Commutation (T1 rem Zlo, 1);	2253	Lemma_Add_Commutation (T1 rem Zlo, 1);
2120	pragma Assert (Big (T1 rem Zlo) + 1 <= Big (Double_Uns (Zlo)));	2254	pragma Assert (Big (T1 rem Zlo) + 1 <= Big (Double_Uns (Zlo)));
2121	Lemma_Div_Definition (T2, Zlo, T2 / Zlo, Ru);	2255	Lemma_Div_Definition (T2, Zlo, T2 / Zlo, Ru);
@@ -2567,6 +2701,21 @@ is
2567	elsif D (J) = Zhi then	2701	elsif D (J) = Zhi then
2568	Qd (J) := Single_Uns'Last;	2702	Qd (J) := Single_Uns'Last;
2569		2703
		2704	Lemma_Concat_Definition (D (J), D (J + 1));
		2705	pragma Assert (Big_2xxSingle > Big (Double_Uns (D (J + 2))));
		2706	pragma Assert (Big3 (D (J), D (J + 1), 0) + Big_2xxSingle
		2707	> Big3 (D (J), D (J + 1), D (J + 2)));
		2708	pragma Assert (Big (Double_Uns'(0)) = 0);
		2709	pragma Assert (Big (D (J) & D (J + 1)) * Big_2xxSingle =
		2710	Big_2xxSingle * (Big_2xxSingle * Big (Double_Uns (D (J)))
		2711	+ Big (Double_Uns (D (J + 1)))));
		2712	pragma Assert (Big (D (J) & D (J + 1)) * Big_2xxSingle =
		2713	Big_2xxSingle * Big_2xxSingle * Big (Double_Uns (D (J)))
		2714	+ Big_2xxSingle * Big (Double_Uns (D (J + 1))));
		2715	pragma Assert (Big (D (J) & D (J + 1)) * Big_2xxSingle
		2716	= Big3 (D (J), D (J + 1), 0));
		2717	pragma Assert ((Big (D (J) & D (J + 1)) + 1) * Big_2xxSingle
		2718	= Big3 (D (J), D (J + 1), 0) + Big_2xxSingle);
2570	Lemma_Gt_Mult (Big (Zu), Big (D (J) & D (J + 1)) + 1,	2719	Lemma_Gt_Mult (Big (Zu), Big (D (J) & D (J + 1)) + 1,
2571	Big_2xxSingle,	2720	Big_2xxSingle,
2572	Big3 (D (J), D (J + 1), D (J + 2)));	2721	Big3 (D (J), D (J + 1), D (J + 2)));
@@ -2617,6 +2766,8 @@ is
2617	pragma Loop_Invariant (Qd (J)'Initialized);	2766	pragma Loop_Invariant (Qd (J)'Initialized);
2618	pragma Loop_Invariant	2767	pragma Loop_Invariant
2619	(Big3 (S1, S2, S3) = Big (Double_Uns (Qd (J))) * Big (Zu));	2768	(Big3 (S1, S2, S3) = Big (Double_Uns (Qd (J))) * Big (Zu));
		2769	pragma Loop_Invariant
		2770	(Big3 (S1, S2, S3) > Big3 (D (J), D (J + 1), D (J + 2)));
2620	pragma Assert (Big3 (S1, S2, S3) > 0);	2771	pragma Assert (Big3 (S1, S2, S3) > 0);
2621	if Qd (J) = 0 then	2772	if Qd (J) = 0 then
2622	pragma Assert (Big3 (S1, S2, S3) = 0);	2773	pragma Assert (Big3 (S1, S2, S3) = 0);
@@ -2632,6 +2783,9 @@ is
2632	(Big3 (S1, S2, S3) >	2783	(Big3 (S1, S2, S3) >
2633	Big3 (D (J), D (J + 1), D (J + 2)) - Big (Zu));	2784	Big3 (D (J), D (J + 1), D (J + 2)) - Big (Zu));
2634	Lemma_Subtract_Commutation (Double_Uns (Qd (J)), 1);	2785	Lemma_Subtract_Commutation (Double_Uns (Qd (J)), 1);
		2786	pragma Assert (Double_Uns (Qd (J)) - Double_Uns'(1)
		2787	= Double_Uns (Qd (J) - 1));
		2788	pragma Assert (Big (Double_Uns'(1)) = 1);
2635	Lemma_Substitution (Big3 (S1, S2, S3), Big (Zu),	2789	Lemma_Substitution (Big3 (S1, S2, S3), Big (Zu),
2636	Big (Double_Uns (Qd (J))) - 1,	2790	Big (Double_Uns (Qd (J))) - 1,
2637	Big (Double_Uns (Qd (J) - 1)), 0);	2791	Big (Double_Uns (Qd (J) - 1)), 0);
@@ -2660,8 +2814,7 @@ is
2660		2814
2661	pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) < Big (Zu));	2815	pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) < Big (Zu));
2662	if D (J) > 0 then	2816	if D (J) > 0 then
2663	pragma Assert	2817	Lemma_Double_Big_2xxSingle;
2664	(Big_2xxSingle * Big_2xxSingle = Big_2xxDouble);
2665	pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) =	2818	pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) =
2666	Big_2xxSingle	2819	Big_2xxSingle
2667	* Big_2xxSingle * Big (Double_Uns (D (J)))	2820	* Big_2xxSingle * Big (Double_Uns (D (J)))
@@ -2671,9 +2824,22 @@ is
2671	Big_2xxDouble * Big (Double_Uns (D (J)))	2824	Big_2xxDouble * Big (Double_Uns (D (J)))
2672	+ Big_2xxSingle * Big (Double_Uns (D (J + 1)))	2825	+ Big_2xxSingle * Big (Double_Uns (D (J + 1)))
2673	+ Big (Double_Uns (D (J + 2))));	2826	+ Big (Double_Uns (D (J + 2))));
		2827	pragma Assert (Big_2xxSingle >= 0);
		2828	pragma Assert (Big (Double_Uns (D (J + 1))) >= 0);
		2829	pragma Assert
		2830	(Big_2xxSingle * Big (Double_Uns (D (J + 1))) >= 0);
		2831	pragma Assert
		2832	(Big_2xxSingle * Big (Double_Uns (D (J + 1)))
		2833	+ Big (Double_Uns (D (J + 2))) >= 0);
2674	pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) >=	2834	pragma Assert (Big3 (D (J), D (J + 1), D (J + 2)) >=
2675	Big_2xxDouble * Big (Double_Uns (D (J))));	2835	Big_2xxDouble * Big (Double_Uns (D (J))));
2676	Lemma_Ge_Commutation (Double_Uns (D (J)), Double_Uns'(1));	2836	Lemma_Ge_Commutation (Double_Uns (D (J)), Double_Uns'(1));
		2837	Lemma_Ge_Mult (Big (Double_Uns (D (J))),
		2838	Big (Double_Uns'(1)),
		2839	Big_2xxDouble,
		2840	Big (Double_Uns'(1)) * Big_2xxDouble);
		2841	pragma Assert
		2842	(Big_2xxDouble * Big (Double_Uns'(1)) = Big_2xxDouble);
2677	pragma Assert	2843	pragma Assert
2678	(Big3 (D (J), D (J + 1), D (J + 2)) >= Big_2xxDouble);	2844	(Big3 (D (J), D (J + 1), D (J + 2)) >= Big_2xxDouble);
2679	pragma Assert (False);	2845	pragma Assert (False);
@@ -3039,6 +3205,7 @@ is
3039	begin	3205	begin
3040	pragma Assert (Ru = Double_Uns (X) - Double_Uns (Y));	3206	pragma Assert (Ru = Double_Uns (X) - Double_Uns (Y));
3041	if Ru < 2 ** (Double_Size - 1) then -- R >= 0	3207	if Ru < 2 ** (Double_Size - 1) then -- R >= 0
		3208	pragma Assert (To_Uns (Y) <= To_Uns (X));
3042	Lemma_Subtract_Double_Uns (X => Y, Y => X);	3209	Lemma_Subtract_Double_Uns (X => Y, Y => X);
3043	pragma Assert (Ru = Double_Uns (X - Y));	3210	pragma Assert (Ru = Double_Uns (X - Y));
3044		3211