nat
The nat type represents natural numbers in Katon.
It is a refinement of int used to express values that are known to be non-negative. nat is commonly used for array indices, sizes, counters, and numeric invariants where negativity is invalid by definition.
Semantics
A nat value denotes an element of the mathematical set ℕ.
Formally:
Semantically, nat is a subset of int with an additional non-negativity constraint. At the logical level, nat values are represented as mathematical integers together with the invariant that their value is greater than or equal to zero.
Relationship to int
nat is not a separate numeric domain from int.
- Both
intandnatare represented as mathematical integers - Every
natis anint - Not every
intis anat
The distinction exists to encode semantic intent and to enable additional verification checks.
Operations
All arithmetic and comparison operations defined on int are also defined on nat.
| Operator | Meaning |
|---|---|
| + | Addition |
| - | Subtraction |
| * | Multiplication |
| / | Integer Division |
| unary - | Negation |
Operations on nat values produce results of type int. Assigning the result back to a nat variable requires proving that the result is non-negative.
Assignment and Safety
Assigning a value to a variable of type nat requires that the value be provably non-negative.
If the verifier cannot prove that the assigned value is greater than or equal to zero, the program is rejected.
Copy Semantics
Like int, nat is a copy type.
-
Reading a
natdoes not consume it -
Assigning or passing a
natnever invalidates the original value -
nathas no ownership, borrowing, or aliasing semantics
Current Limitations (To Be Fixed)
Warning
Some safety properties of nat are not fully enforced yet.
-
Certain arithmetic operations may not generate complete non-negativity proofs
-
Some assignments rely on conservative SMT checks
-
Diagnostic messages for failed
natconstraints may be incomplete
These limitations are known and will be addressed as Katon’s verification and type systems mature.