Skip to main content

axiom/WrapInt16

Reference for mo:core/axiom/WrapInt16 in the core library.

This page lists trusted proof lemmas. Calling one adds its ensures facts after its requires clauses are proven; the lemma body itself is part of the trusted base, not a verifier-checked derivation. Use these when ordinary SMT arithmetic needs a precise algebraic step.

Import

mo:core/axiom/WrapInt16

Status

  • Spec-only axiom module

Public API

Types

  • Int16

Lemmas

wrapSpec(x : Int16) : ()

Establishes bits(x) == bits(x) % 65536 in the current proof context.

Contract

ensures bits(x) == bits(x) % 65536;

Use when: a proof needs this fact explicitly and the solver has not derived it automatically.

add(a : Int16, b : Int16) : ()

Establishes bits(Int16.addWrap(a, b)) == (bits(a) + bits(b)) % 65536 in the current proof context.

Contract

ensures bits(Int16.addWrap(a, b)) == (bits(a) + bits(b)) % 65536;

Use when: a proof needs this fact explicitly and the solver has not derived it automatically.

sub(a : Int16, b : Int16) : ()

Establishes bits(Int16.subWrap(a, b)) == (bits(a) + 65536 - bits(b)) % 65536 in the current proof context.

Contract

ensures bits(Int16.subWrap(a, b)) == (bits(a) + 65536 - bits(b)) % 65536;

Use when: a proof needs this fact explicitly and the solver has not derived it automatically.

mul(a : Int16, b : Int16) : ()

Establishes bits(Int16.mulWrap(a, b)) == (bits(a) * bits(b)) % 65536 in the current proof context.

Contract

ensures bits(Int16.mulWrap(a, b)) == (bits(a) * bits(b)) % 65536;

Use when: a proof needs this fact explicitly and the solver has not derived it automatically.

noOverflowAdd(a : Int16, b : Int16) : ()

Establishes toSigned(Int16.addWrap(a, b)) == toSigned(a) + toSigned(b) in the current proof context.

Contract

requires -32768 <= toSigned(a) + toSigned(b);
requires toSigned(a) + toSigned(b) <= 32767;
ensures toSigned(Int16.addWrap(a, b)) == toSigned(a) + toSigned(b);

Use when: a proof needs this fact explicitly and the solver has not derived it automatically.

noOverflowMul(a : Int16, b : Int16) : ()

Establishes toSigned(Int16.mulWrap(a, b)) == toSigned(a) * toSigned(b) in the current proof context.

Contract

requires -32768 <= toSigned(a) * toSigned(b);
requires toSigned(a) * toSigned(b) <= 32767;
ensures toSigned(Int16.mulWrap(a, b)) == toSigned(a) * toSigned(b);

Use when: a proof needs this fact explicitly and the solver has not derived it automatically.

Summary

  • Spec-only axiom module under mo:core/axiom/WrapInt16.
  • Exposes 6 trusted lemmas.