/*
   22c181: Formal Methods in Software Engineering
   Fall 2013
   The University of Iowa
   
   Instructor: Cesare Tinelli

   Credits: Example courtesy of Rajeev Joshi, NASA JPL
*/

class Counter {
  // The "abstract" state which is visible to clients
  ghost var value:int ;

  // The object invariant -- indicates how the abstract and
  // concrete states are related.
  predicate Valid()
    reads this ;
  {
    value == inc - dec
  }

  // The constructor
  constructor init()
    modifies this ;
    ensures Valid() && value == 0 ;
  {
    inc := 0 ; dec := 0 ; value := 0 ;
  }

  // The actual implementation (also called the "concrete state").
  // This is hidden from the client.
  var inc:int ;
  var dec:int ;

  // Method implementations.  Note that the specifications only
  // mention the abstract state and not the concrete state.  This
  // allows us to later change the implementation without breaking
  // any client code.
  method Inc()
    requires Valid() ;
    modifies this ;
    ensures Valid() ;
    ensures value == old(value) + 1 ;
  {
    inc := inc + 1 ; value := value + 1 ;
  }

  method Dec()
    requires Valid() ;
    modifies this ;
    ensures Valid() ;
    ensures value == old(value) - 1 ;
  {
    dec := dec + 1 ; value := value - 1 ;
  }

  method Clear()
    requires Valid() ;
    modifies this ;
    ensures Valid() ;
    ensures value == 0 ;
  {
    inc := 0 ; dec := 0 ; value := 0 ;
  }

  method Get() returns (n:int)
    requires Valid() ;
    ensures Valid() ;
    ensures n == value ;
  {
    return inc - dec ;
  }

  method Set(n:int)
    requires Valid() ;
    ensures Valid() ;
    modifies this ;
    ensures value == n ;
  {
    inc := n ; dec := 0 ; value := n ;
  }
}
*/