Cheers, Matthias

posted by minddriven.de

]]>

Thank you very much.

posted by macias

]]>posted by Andrew Zonov

]]>that's a very good point.

(As far as x is concerned) the loop invariant is x >= 0, as before entering the loop x == 0, and then it is always incremented by one.

At the loop exit, we know that x >=0, but also that x > N (by the negation of the loop guard) and N > 0 (by the method precondition).

As a consequence we can refine the interval for x to [2, +oo].

I haven't mentioned it in the video to keep it simple, but you are right that the tool can prove a stronger assertion after the loop. In fact, if you download the checker, you can see that it proves the assertions x > 0 and x > 1 (but not x > 2 .

Thanks!

f

posted by logozzo

]]>