Initial examples from book

[acsl-example] / inc / find2.h

typedef int value_type;
typedef unsigned int size_type;

/*@
        axiomatic SomeNone {
                predicate SomeEqual{A}(value_type* a, integer m, integer n, value_type v) =
                        \exists integer i; m <= i < n && a[i] == v;

                predicate SomeEqual{A}(value_type* a, integer n, value_type v) =
                        SomeEqual(a, 0, n, v);

                predicate NoneEqual(value_type* a, integer m, integer n, value_type v) =
                        \forall integer i; m <= i < n ==> a[i] != v;

                predicate NoneEqual(value_type* a, integer n, value_type v) =
                        NoneEqual(a, 0, n, v);

                lemma
                NotSomeEqual_NoneEqual:
                        \forall value_type *a, v, integer m, n;
                        !SomeEqual(a, m, n, v) ==> NoneEqual(a, m, n, v);

                lemma
                NoneEqual_NotSomeEqual:
                        \forall value_type *a, v, integer m, n;
                        NoneEqual(a, m, n, v) ==> !SomeEqual(a, m, n, v);
        }
*/

/*@
        requires valid: \valid_read(a + (0..n-1));
        assigns \nothing;
        ensures result: 0 <= \result <= n;

        behavior some:
                assumes         SomeEqual(a, n, v);
                assigns         \nothing;
                ensures bound:  0 <= \result < n;
                ensures result: a[\result] == v;
                ensures first:  NoneEqual(a, \result, v);

        behavior none:
                assumes         NoneEqual(a, n, v);
                assigns         \nothing;
                ensures result: \result == n;

        complete behaviors;
        disjoint behaviors;
*/
size_type
find2(const value_type* a, size_type n, value_type v);