/*@ predicate Length_of_str_is{L}(char *s, integer n) = n >= 0 && \val

1. /*@
2. predicate Length_of_str_is{L}(char *s, integer n) =
3. n >= 0 && \valid(s+(0..n)) && s[n] == 0 &&
4. \forall integer k ; (0 <= k < n) ==> (s[k] != 0) ;
5.  
6. axiomatic Length
7. {
8. logic integer Length{L}(char *s) reads s[..];
9.  
10. axiom string_length{L}:
11. \forall integer n, char *s ; Length_of_str_is(s, n) ==> Length(s) == n ;
12. }
13.  
14. @*/
15.  
16. /*@
17. requires \exists integer i; Length_of_str_is(s,i);
18. assigns \nothing;
19. ensures \exists integer i; Length_of_str_is(s,i) && \result == i;
20. @*/
21. int strlen(const char *s) {
22. const char *ss = s;
23. /*@
24. loop invariant s <= ss <= s+Length(s);
25. loop invariant \forall integer i; 0 <= i < (ss-s) ==> s[i] != 0;
26. loop assigns ss;
27. loop variant Length(s) - (ss-s);
28. @*/
29. while (*ss)
30. ss++;
31.  
32.  
33. //@ assert \false;
34. return ss - s;
35. }