1111
1212#[ cfg( kani) ]
1313use crate :: kani;
14+ #[ cfg( kani) ]
15+ use crate :: forall;
1416use crate :: num:: dec2flt:: common:: { ByteSlice , is_8digits} ;
1517
1618/// A decimal floating-point number, represented as a sequence of decimal digits.
@@ -85,7 +87,7 @@ impl DecimalSeq {
8587 //
8688 // Trim is only called in `right_shift` and `left_shift`.
8789 debug_assert ! ( self . num_digits <= Self :: MAX_DIGITS ) ;
88- #[ kani :: loop_invariant( self . num_digits <= Self :: MAX_DIGITS ) ]
90+ #[ safety :: loop_invariant( self . num_digits <= Self :: MAX_DIGITS ) ]
8991 while self . num_digits != 0 && self . digits [ self . num_digits - 1 ] == 0 {
9092 self . num_digits -= 1 ;
9193 }
@@ -101,7 +103,7 @@ impl DecimalSeq {
101103 let dp = self . decimal_point as usize ;
102104 let mut n = 0_u64 ;
103105
104- #[ kani :: loop_invariant( n < 10u64 . pow( kani:: index as u32 ) ) ]
106+ #[ safety :: loop_invariant( n < 10u64 . pow( kani:: index as u32 ) ) ]
105107 for i in 0 ..dp {
106108 n *= 10 ;
107109 if i < self . num_digits {
@@ -134,7 +136,7 @@ impl DecimalSeq {
134136 let mut write_index = self . num_digits + num_new_digits;
135137 let mut n = 0_u64 ;
136138
137- #[ kani :: loop_invariant( read_index <= Self :: MAX_DIGITS &&
139+ #[ safety :: loop_invariant( read_index <= Self :: MAX_DIGITS &&
138140 write_index == read_index + num_new_digits &&
139141 n < 10u64 << ( shift - 1 ) &&
140142 self . num_digits <= Self :: MAX_DIGITS &&
@@ -155,7 +157,7 @@ impl DecimalSeq {
155157 n = quotient;
156158 }
157159
158- #[ kani :: loop_invariant( self . num_digits <= Self :: MAX_DIGITS && self . decimal_point <= self . num_digits as i32 ) ]
160+ #[ safety :: loop_invariant( self . num_digits <= Self :: MAX_DIGITS && self . decimal_point <= self . num_digits as i32 ) ]
159161 while n > 0 {
160162 write_index -= 1 ;
161163 let quotient = n / 10 ;
@@ -183,15 +185,15 @@ impl DecimalSeq {
183185 let mut read_index = 0 ;
184186 let mut write_index = 0 ;
185187 let mut n = 0_u64 ;
186- #[ kani :: loop_invariant( n == 0 || ( read_index > 0 && read_index <= self . num_digits + 64 - n. leading_zeros( ) as usize ) ) ]
188+ #[ safety :: loop_invariant( n == 0 || ( read_index > 0 && read_index <= self . num_digits + 64 - n. leading_zeros( ) as usize ) ) ]
187189 while ( n >> shift) == 0 {
188190 if read_index < self . num_digits {
189191 n = ( 10 * n) + self . digits [ read_index] as u64 ;
190192 read_index += 1 ;
191193 } else if n == 0 {
192194 return ;
193195 } else {
194- #[ kani :: loop_invariant( n > 0 && read_index <= self . num_digits + 64 - n. leading_zeros( ) as usize && read_index > 0 ) ]
196+ #[ safety :: loop_invariant( n > 0 && read_index <= self . num_digits + 64 - n. leading_zeros( ) as usize && read_index > 0 ) ]
195197 while ( n >> shift) == 0 {
196198 n *= 10 ;
197199 read_index += 1 ;
@@ -208,7 +210,7 @@ impl DecimalSeq {
208210 return ;
209211 }
210212 let mask = ( 1_u64 << shift) - 1 ;
211- #[ kani :: loop_invariant( self . num_digits <= Self :: MAX_DIGITS &&
213+ #[ safety :: loop_invariant( self . num_digits <= Self :: MAX_DIGITS &&
212214 write_index < read_index &&
213215 write_index < Self :: MAX_DIGITS - self . num_digits. saturating_sub( read_index)
214216 ) ]
@@ -219,7 +221,7 @@ impl DecimalSeq {
219221 self . digits [ write_index] = new_digit;
220222 write_index += 1 ;
221223 }
222- #[ kani :: loop_invariant( write_index <= Self :: MAX_DIGITS ) ]
224+ #[ safety :: loop_invariant( write_index <= Self :: MAX_DIGITS ) ]
223225 while n > 0 {
224226 let new_digit = ( n >> shift) as u8 ;
225227 n = 10 * ( n & mask) ;
@@ -382,7 +384,7 @@ fn number_of_digits_decimal_left_shift(d: &DecimalSeq, mut shift: usize) -> usiz
382384 let pow5_b = ( 0x7FF & x_b) as usize ;
383385 let pow5 = & TABLE_POW5 [ pow5_a..] ;
384386
385- #[ kani :: loop_invariant( true ) ]
387+ #[ safety :: loop_invariant( true ) ]
386388 for ( i, & p5) in pow5. iter ( ) . enumerate ( ) . take ( pow5_b - pow5_a) {
387389 if i >= d. num_digits {
388390 return num_new_digits - 1 ;
0 commit comments