From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!news.gegeweb.eu!gegeweb.org!news.muarf.org!nntpfeed.proxad.net!proxad.net!feeder1-1.proxad.net!cleanfeed3-b.proxad.net!nnrp2-2.free.fr!not-for-mail From: =?iso-8859-1?b?RnLpZOlyaWM=?= Praca Subject: [Spark] Proving GCD Newsgroups: comp.lang.ada User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Date: 16 Mar 2017 20:31:55 GMT Message-ID: <58caf63b$0$24793$426a74cc@news.free.fr> Organization: Guest of ProXad - France NNTP-Posting-Date: 16 Mar 2017 21:31:55 CET NNTP-Posting-Host: 88.169.125.217 X-Trace: 1489696315 news-2.free.fr 24793 88.169.125.217:36406 X-Complaints-To: abuse@proxad.net Xref: news.eternal-september.org comp.lang.ada:46405 Date: 2017-03-16T21:31:55+01:00 List-Id: Hi guys, sorry for the first message, I clicked on the wrong button :D I'm trying to train myself on Spark and I tried to see if a simple function like GCD could be proved. I created the following : GCD_Package is pragma SPARK_Mode; pragma Assertion_Policy(Check); function gcd (A : Natural; B : Positive) return Natural with Global => null, Depends => (gcd'Result => (A,B)), Post => gcd'Result <= A and A mod gcd'Result = 0 and B mod gcd'Result = 0 ; end GCD_Package; package body GCD_Package is pragma SPARK_Mode; function gcd (A : Natural; B : Positive) return Natural is Value : Natural; Temp : Natural; Local_B : Natural := B; Local_A : Natural := A; begin if A = 0 then value := B; else while Local_B > 0 loop pragma Loop_Variant (Decreases => Local_B); Temp := Local_B; Local_B := Local_A mod Local_B; Local_A := Temp; end loop; value := Local_A; end if; return value; end Gcd; end GCD_Package; The answer is always "postcondition might fail" and I don't know what to do. Do you have an idea on how to discharge all VCs and thus prove this code ? Thanks Fred