Pre and post conditions can be used to prove program properties
...
function match (needle, hay: String; loc: Positive) return Boolean is
(for all i in 1 .. needle'length => needle(i) = hay(loc + i - 1))
with
pre => loc in hay'length - needle'length - 1,
function search (needle, hay: String) return Natural with
pre => needle'length in 1 .. hay'length,
post => (search'result in 0 .. hay'length - needle'length + 1
and then
(if search'result > 0 then
match(needle, hay, search'result)
else
(for all loc in 1 .. hay'length - needle'length + 1
=> not match(needle, hay, loc))
))