source: CIVL/examples/loop_invariants/Jans_example/fixed_block/invariant_replace_nonlinear.cvl

/* A variant of the verification attemptation of the 'invariant.cvl'
 * example under this directory: the point is replace all non-linear
 * term uin[i][j] * uin[i][j] to a function call in annotations.
 */
#include <stdio.h>
#include <string.h>
#ifdef _CIVL
#include <civlc.cvh>
#pragma CIVL ACSL
#endif

#ifdef _CIVL
$input int ni,nj;
$assume(ni > 1);
$assume(nj > 1);
$input double uin[ni][nj];
#endif

int main(int argc, char** argv) {
  int i,j,ir,jr;
  double u1[ni][nj];
  double u2[ni][nj];

  $abstract double square(double x);
  $assume($forall (double x) square(x) == x * x);

  $assume($forall (int i : 0 .. ni-1) 
          ($forall (int j : 0 .. nj-1) u1[i][j] == 0 && u2[i][j] == 0)
          );

  double tmp1[ni][nj];

  $assume($forall (int i : 1 .. ni-2) 
          ($forall (int j : 1 .. nj-2) tmp1[i][j] == square(uin[i][j]))
          );
  $assume($forall (int j : 0 .. nj-1) tmp1[0][j] == 0 && tmp1[ni-1][j] == 0);
  $assume($forall (int i : 0 .. ni - 1) tmp1[i][0] == 0 &&  tmp1[i][nj-1] == 0);
  memcpy(u1, tmp1, sizeof(double) * ni * nj);

  if (ni > 2) {
    i = ni - 1; 
    if (nj > 2)
      j = nj - 1;
    else
      j = 1;
  } else {
    i = 1;
    j = nj;
  }

  /*@ loop invariant 1 <= i <= ni-1;  
    @ loop invariant 1 < i ==> (nj - 2 <= j <= nj - 1 && j % 2 != 0); // needed for the rest of the code
    @ loop invariant \forall int t, k; 1 <= t < i && 1 <= k < nj - 2 && k % 2 != 0
    @                     ==> u2[t][k] == square(uin[t][k]) && u2[t][k+1] == square(uin[t][k+1]);
    @ loop invariant i % 2 != 0;
    @ loop assigns u2[1 .. ni-2][1 .. nj-2], i, j;
    @*/
  for(i=1;i<ni-2;i=i+2) {
  /*@ loop invariant 1 <= i < ni-2;  
    @ loop invariant 1 <= j <= nj-1;
    @ loop invariant \forall int k; 1 <= k < j 
    @                  ==> u2[i][k] == square(uin[i][k]) && u2[i+1][k] == square(uin[i+1][k]) ;
    @ loop invariant i % 2 != 0 && j % 2 != 0;
    @ loop assigns u2[i][1 .. nj-2], u2[i+1][1 .. nj-2], j;
    @*/
    for(j=1;j<nj-2;j=j+2) {
      u2[i][j] = uin[i][j]*uin[i][j];
      u2[i+1][j] = uin[i+1][j]*uin[i+1][j];
      u2[i][j+1] = uin[i][j+1]*uin[i][j+1];
      u2[i+1][j+1] = uin[i+1][j+1]*uin[i+1][j+1];
    }
  }  
  // remainder
  if(i==ni-2) {
    /*@ loop invariant 1 <= jr <= nj-1;
      @ loop invariant \forall int t; 1 <= t < jr ==>
      @                    u2[i][t] == square(uin[i][t]);
      @ loop assigns   jr, u2[i][1 .. nj-2];
      @*/
    for(jr=1;jr<nj-1;jr++) {
      u2[i][jr] = uin[i][jr]*uin[i][jr];
    }
  }
  if(j==nj-2) {
    /*@ loop invariant 1 <= ir <= ni-1;
      @ loop invariant \forall int t; 1 <= t < ir ==>
      @                    u2[t][j] == square(uin[t][j]);
      @ loop assigns   ir, u2[1 .. ni-2][j];
      @*/
    for(ir=1;ir<ni-1;ir++) {
      u2[ir][j] = uin[ir][j]*uin[ir][j];
    }
  }
  if(i==ni-2 && j==nj-2) u2[i][j] = uin[i][j]*uin[i][j];

  $assert($forall (int i: 0 .. ni-1) 
          ($forall (int j: 0 .. nj-1) u1[i][j] == u2[i][j])
          );
}