2012-05-07 15:12:08 +02:00
|
|
|
(** {1 Arrays} *)
|
2010-12-29 16:44:59 +01:00
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(** {2 Generic Arrays}
|
|
|
|
|
|
2012-05-09 11:25:22 +02:00
|
|
|
The length is a non-mutable field, so that we get for free that
|
|
|
|
|
modification of an array does not modify its length.
|
2012-05-07 15:12:08 +02:00
|
|
|
|
|
|
|
|
*)
|
2010-12-30 20:14:11 +01:00
|
|
|
|
2011-05-09 17:06:57 +02:00
|
|
|
module Array
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
2018-07-02 17:10:35 +02:00
|
|
|
use map.Map
|
2011-05-09 17:06:57 +02:00
|
|
|
|
2019-05-14 15:00:35 +02:00
|
|
|
type array [@extraction:array] 'a = private {
|
2016-03-09 16:50:38 +01:00
|
|
|
mutable ghost elts : int -> 'a;
|
2015-08-20 13:25:30 +02:00
|
|
|
length : int
|
|
|
|
|
} invariant { 0 <= length }
|
2011-05-09 17:06:57 +02:00
|
|
|
|
2016-03-09 16:50:38 +01:00
|
|
|
function ([]) (a: array 'a) (i: int) : 'a = a.elts i
|
2011-05-09 17:06:57 +02:00
|
|
|
|
2015-08-20 13:25:30 +02:00
|
|
|
val ([]) (a: array 'a) (i: int) : 'a
|
2018-01-12 18:03:45 +01:00
|
|
|
requires { [@expl:index in array bounds] 0 <= i < length a }
|
2012-10-13 00:23:29 +02:00
|
|
|
ensures { result = a[i] }
|
2011-05-09 17:06:57 +02:00
|
|
|
|
2017-10-19 13:55:27 +02:00
|
|
|
val ghost function ([<-]) (a: array 'a) (i: int) (v: 'a): array 'a
|
|
|
|
|
ensures { result.length = a.length }
|
2018-07-02 17:10:35 +02:00
|
|
|
ensures { result.elts = Map.set a.elts i v }
|
2017-10-19 13:55:27 +02:00
|
|
|
|
2015-08-20 13:25:30 +02:00
|
|
|
val ([]<-) (a: array 'a) (i: int) (v: 'a) : unit writes {a}
|
2018-01-12 18:03:45 +01:00
|
|
|
requires { [@expl:index in array bounds] 0 <= i < length a }
|
2018-07-02 17:10:35 +02:00
|
|
|
ensures { a.elts = Map.set (old a).elts i v }
|
2017-10-19 13:55:27 +02:00
|
|
|
ensures { a = (old a)[i <- v] }
|
2011-05-09 17:06:57 +02:00
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(** unsafe get/set operations with no precondition *)
|
2017-05-15 21:52:49 +02:00
|
|
|
|
2011-05-17 18:01:02 +02:00
|
|
|
exception OutOfBounds
|
|
|
|
|
|
2012-10-13 00:23:29 +02:00
|
|
|
let defensive_get (a: array 'a) (i: int)
|
|
|
|
|
ensures { 0 <= i < length a /\ result = a[i] }
|
2015-08-20 13:25:30 +02:00
|
|
|
raises { OutOfBounds -> i < 0 \/ i >= length a }
|
2012-10-13 00:23:29 +02:00
|
|
|
= if i < 0 || i >= length a then raise OutOfBounds;
|
2011-05-31 10:47:17 +02:00
|
|
|
a[i]
|
2011-05-17 18:01:02 +02:00
|
|
|
|
2012-10-13 00:23:29 +02:00
|
|
|
let defensive_set (a: array 'a) (i: int) (v: 'a)
|
2017-10-19 13:55:27 +02:00
|
|
|
ensures { 0 <= i < length a }
|
|
|
|
|
ensures { a = (old a)[i <- v] }
|
2018-02-17 10:46:39 +01:00
|
|
|
raises { OutOfBounds -> (i < 0 \/ i >= length a) /\ a = old a }
|
2012-10-13 00:23:29 +02:00
|
|
|
= if i < 0 || i >= length a then raise OutOfBounds;
|
2011-05-31 10:47:17 +02:00
|
|
|
a[i] <- v
|
2011-05-16 17:13:10 +02:00
|
|
|
|
2020-12-09 23:40:49 +01:00
|
|
|
function make (n: int) (v: 'a) : array 'a
|
|
|
|
|
|
|
|
|
|
axiom make_spec : forall n:int, v:'a.
|
|
|
|
|
n >= 0 ->
|
|
|
|
|
(forall i:int. 0 <= i < n -> (make n v)[i] = v) /\
|
|
|
|
|
length (make n v) = n
|
|
|
|
|
|
|
|
|
|
val make [@extraction:array_make] (n: int) (v: 'a) : array 'a
|
2018-01-12 18:03:45 +01:00
|
|
|
requires { [@expl:array creation size] n >= 0 }
|
2015-07-06 14:02:05 +02:00
|
|
|
ensures { forall i:int. 0 <= i < n -> result[i] = v }
|
2016-03-07 18:06:43 +01:00
|
|
|
ensures { result.length = n }
|
2012-10-02 17:56:08 +02:00
|
|
|
|
2019-06-06 11:30:14 +02:00
|
|
|
val empty () : array 'a
|
|
|
|
|
ensures { result.length = 0 }
|
|
|
|
|
|
2019-06-06 11:38:27 +02:00
|
|
|
let copy (a: array 'a) : array 'a
|
2012-10-13 00:23:29 +02:00
|
|
|
ensures { length result = length a }
|
|
|
|
|
ensures { forall i:int. 0 <= i < length result -> result[i] = a[i] }
|
2019-06-06 11:38:27 +02:00
|
|
|
=
|
|
|
|
|
let len = length a in
|
|
|
|
|
if len = 0 then empty ()
|
|
|
|
|
else begin
|
|
|
|
|
let b = make len a[0] in
|
|
|
|
|
for i = 1 to len - 1 do
|
|
|
|
|
invariant { forall k. 0 <= k < i -> b[k] = a[k] }
|
|
|
|
|
b[i] <- a[i]
|
|
|
|
|
done;
|
|
|
|
|
b
|
|
|
|
|
end
|
2011-01-26 08:06:09 +01:00
|
|
|
|
2019-06-05 15:56:22 +02:00
|
|
|
let sub (a: array 'a) (ofs: int) (len: int) : array 'a
|
|
|
|
|
requires { 0 <= ofs /\ 0 <= len /\ ofs + len <= length a }
|
|
|
|
|
ensures { length result = len }
|
|
|
|
|
ensures { forall i:int. 0 <= i < len -> result[i] = a[ofs + i] }
|
|
|
|
|
=
|
|
|
|
|
if length a = 0 then begin
|
|
|
|
|
assert { len = 0 };
|
2019-06-06 11:38:27 +02:00
|
|
|
empty ()
|
2019-06-05 15:56:22 +02:00
|
|
|
end else begin
|
|
|
|
|
let b = make len a[0] in
|
|
|
|
|
for i = 0 to len-1 do
|
|
|
|
|
invariant { forall k. 0 <= k < i -> b[k] = a[ofs+k] }
|
|
|
|
|
b[i] <- a[ofs+i];
|
|
|
|
|
done;
|
|
|
|
|
b
|
|
|
|
|
end
|
|
|
|
|
|
2015-08-20 13:25:30 +02:00
|
|
|
let fill (a: array 'a) (ofs: int) (len: int) (v: 'a)
|
2013-01-30 19:43:42 +01:00
|
|
|
requires { 0 <= ofs /\ 0 <= len /\ ofs + len <= length a }
|
2012-10-13 00:23:29 +02:00
|
|
|
ensures { forall i:int.
|
2015-08-20 13:25:30 +02:00
|
|
|
(0 <= i < ofs \/ ofs + len <= i < length a) -> a[i] = old a[i] }
|
2012-10-13 00:23:29 +02:00
|
|
|
ensures { forall i:int. ofs <= i < ofs + len -> a[i] = v }
|
2015-08-20 13:25:30 +02:00
|
|
|
=
|
2011-05-31 09:41:40 +02:00
|
|
|
for k = 0 to len - 1 do
|
2012-10-13 00:23:29 +02:00
|
|
|
invariant { forall i:int.
|
2015-08-20 13:25:30 +02:00
|
|
|
(0 <= i < ofs \/ ofs + len <= i < length a) -> a[i] = old a[i] }
|
2012-10-13 00:23:29 +02:00
|
|
|
invariant { forall i:int. ofs <= i < ofs + k -> a[i] = v }
|
2011-05-31 09:41:40 +02:00
|
|
|
a[ofs + k] <- v
|
|
|
|
|
done
|
2011-01-26 08:06:09 +01:00
|
|
|
|
2019-06-05 15:56:22 +02:00
|
|
|
let blit (a1: array 'a) (ofs1: int)
|
2012-10-13 00:23:29 +02:00
|
|
|
(a2: array 'a) (ofs2: int) (len: int) : unit writes {a2}
|
2013-01-30 19:43:42 +01:00
|
|
|
requires { 0 <= ofs1 /\ 0 <= len /\ ofs1 + len <= length a1 }
|
|
|
|
|
requires { 0 <= ofs2 /\ ofs2 + len <= length a2 }
|
2012-10-13 00:23:29 +02:00
|
|
|
ensures { forall i:int.
|
2015-08-20 13:25:30 +02:00
|
|
|
(0 <= i < ofs2 \/ ofs2 + len <= i < length a2) -> a2[i] = old a2[i] }
|
2012-10-13 00:23:29 +02:00
|
|
|
ensures { forall i:int.
|
|
|
|
|
ofs2 <= i < ofs2 + len -> a2[i] = a1[ofs1 + i - ofs2] }
|
2019-06-05 15:56:22 +02:00
|
|
|
=
|
|
|
|
|
for i = 0 to len - 1 do
|
|
|
|
|
invariant { forall k. not (0 <= k < i) -> a2[ofs2 + k] = old a2[ofs2 + k] }
|
|
|
|
|
invariant { forall k. 0 <= k < i -> a2[ofs2 + k] = a1[ofs1 + k] }
|
|
|
|
|
a2[ofs2 + i] <- a1[ofs1 + i];
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
let append (a1: array 'a) (a2: array 'a) : array 'a
|
|
|
|
|
ensures { length result = length a1 + length a2 }
|
|
|
|
|
ensures { forall i. 0 <= i < length a1 -> result[i] = a1[i] }
|
|
|
|
|
ensures { forall i. 0 <= i < length a2 -> result[length a1 + i] = a2[i] }
|
|
|
|
|
=
|
|
|
|
|
if length a1 = 0 then copy a2
|
|
|
|
|
else begin
|
|
|
|
|
let a = make (length a1 + length a2) a1[0] in
|
|
|
|
|
blit a1 0 a 0 (length a1);
|
|
|
|
|
blit a2 0 a (length a1) (length a2);
|
|
|
|
|
a
|
|
|
|
|
end
|
2011-05-05 09:43:15 +02:00
|
|
|
|
2017-05-15 14:26:58 +02:00
|
|
|
let self_blit (a: array 'a) (ofs1: int) (ofs2: int) (len: int) : unit
|
2013-05-19 08:26:41 +02:00
|
|
|
writes {a}
|
|
|
|
|
requires { 0 <= ofs1 /\ 0 <= len /\ ofs1 + len <= length a }
|
|
|
|
|
requires { 0 <= ofs2 /\ ofs2 + len <= length a }
|
|
|
|
|
ensures { forall i:int.
|
2015-08-20 13:25:30 +02:00
|
|
|
(0 <= i < ofs2 \/ ofs2 + len <= i < length a) -> a[i] = old a[i] }
|
2013-05-19 08:26:41 +02:00
|
|
|
ensures { forall i:int.
|
2015-08-20 13:25:30 +02:00
|
|
|
ofs2 <= i < ofs2 + len -> a[i] = old a[ofs1 + i - ofs2] }
|
2017-06-16 14:49:17 +02:00
|
|
|
=
|
2017-04-20 16:03:33 +02:00
|
|
|
if ofs1 <= ofs2 then (* from right to left *)
|
|
|
|
|
for k = len - 1 downto 0 do
|
|
|
|
|
invariant { forall i:int.
|
|
|
|
|
(0 <= i <= ofs2 + k \/ ofs2 + len <= i < length a) ->
|
2017-06-16 14:49:17 +02:00
|
|
|
a[i] = (old a)[i] }
|
2017-04-20 16:03:33 +02:00
|
|
|
invariant { forall i:int.
|
2017-06-16 14:49:17 +02:00
|
|
|
ofs2 + k < i < ofs2 + len -> a[i] = (old a)[ofs1 + i - ofs2] }
|
2017-04-20 16:03:33 +02:00
|
|
|
a[ofs2 + k] <- a[ofs1 + k]
|
|
|
|
|
done
|
|
|
|
|
else (* from left to right *)
|
|
|
|
|
for k = 0 to len - 1 do
|
|
|
|
|
invariant { forall i:int.
|
|
|
|
|
(0 <= i < ofs2 \/ ofs2 + k <= i < length a) ->
|
2017-06-16 14:49:17 +02:00
|
|
|
a[i] = (old a)[i] }
|
2017-04-20 16:03:33 +02:00
|
|
|
invariant { forall i:int.
|
2017-06-16 14:49:17 +02:00
|
|
|
ofs2 <= i < ofs2 + k -> a[i] = (old a)[ofs1 + i - ofs2] }
|
2017-04-20 16:03:33 +02:00
|
|
|
a[ofs2 + k] <- a[ofs1 + k]
|
|
|
|
|
done
|
2013-05-19 08:26:41 +02:00
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(*** TODO?
|
2011-01-26 09:26:59 +01:00
|
|
|
- concat : 'a array list -> 'a array
|
|
|
|
|
- to_list
|
2011-05-05 09:43:15 +02:00
|
|
|
- of_list
|
2011-01-26 09:26:59 +01:00
|
|
|
*)
|
2011-01-26 08:06:09 +01:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2016-07-11 18:05:30 +02:00
|
|
|
module Init
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
2016-07-11 18:05:30 +02:00
|
|
|
use export Array
|
|
|
|
|
|
2019-06-06 11:38:27 +02:00
|
|
|
let init (n: int) (f: int -> 'a) : array 'a
|
2018-01-12 18:03:45 +01:00
|
|
|
requires { [@expl:array creation size] n >= 0 }
|
2016-07-11 18:05:30 +02:00
|
|
|
ensures { forall i:int. 0 <= i < n -> result[i] = f i }
|
|
|
|
|
ensures { result.length = n }
|
2019-06-06 11:38:27 +02:00
|
|
|
=
|
|
|
|
|
if n = 0 then empty ()
|
|
|
|
|
else begin
|
|
|
|
|
let a = make n (f 0) in
|
|
|
|
|
for i = 1 to n - 1 do
|
|
|
|
|
invariant { forall k. 0 <= k < i -> a[k] = f k }
|
|
|
|
|
a[i] <- f i
|
|
|
|
|
done;
|
|
|
|
|
a
|
|
|
|
|
end
|
2016-07-11 18:05:30 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(** {2 Sorted Arrays} *)
|
|
|
|
|
|
2014-03-28 15:18:02 +01:00
|
|
|
module IntArraySorted
|
2011-05-11 11:52:25 +02:00
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
|
|
|
|
clone map.MapSorted as M with type elt = int, predicate le = (<=)
|
2011-05-11 11:52:25 +02:00
|
|
|
|
2011-06-29 19:13:18 +02:00
|
|
|
predicate sorted_sub (a : array int) (l u : int) =
|
2011-05-11 11:52:25 +02:00
|
|
|
M.sorted_sub a.elts l u
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `sorted_sub a l u` is true whenever the array segment `a(l..u-1)`
|
|
|
|
|
is sorted w.r.t order relation `le` *)
|
2011-05-11 11:52:25 +02:00
|
|
|
|
2011-06-29 19:13:18 +02:00
|
|
|
predicate sorted (a : array int) =
|
2011-05-11 11:52:25 +02:00
|
|
|
M.sorted_sub a.elts 0 a.length
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `sorted a` is true whenever the array `a` is sorted w.r.t `le` *)
|
2014-03-28 15:18:02 +01:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2014-03-29 15:18:08 +01:00
|
|
|
module Sorted
|
2014-03-28 15:18:02 +01:00
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
2014-03-28 15:18:02 +01:00
|
|
|
|
|
|
|
|
type elt
|
|
|
|
|
|
|
|
|
|
predicate le elt elt
|
|
|
|
|
|
|
|
|
|
predicate sorted_sub (a: array elt) (l u: int) =
|
2019-04-24 15:23:50 +02:00
|
|
|
forall i1 i2 : int. l <= i1 < i2 < u -> le a[i1] a[i2]
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `sorted_sub a l u` is true whenever the array segment `a(l..u-1)`
|
|
|
|
|
is sorted w.r.t order relation `le` *)
|
2014-03-28 15:18:02 +01:00
|
|
|
|
|
|
|
|
predicate sorted (a: array elt) =
|
2019-04-24 15:23:50 +02:00
|
|
|
forall i1 i2 : int. 0 <= i1 < i2 < length a -> le a[i1] a[i2]
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `sorted a` is true whenever the array `a` is sorted w.r.t `le` *)
|
2011-05-11 11:52:25 +02:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(** {2 Arrays Equality} *)
|
|
|
|
|
|
2011-05-11 11:52:25 +02:00
|
|
|
module ArrayEq
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
|
|
|
|
use map.MapEq
|
2011-05-11 11:52:25 +02:00
|
|
|
|
2011-06-29 19:13:18 +02:00
|
|
|
predicate array_eq_sub (a1 a2: array 'a) (l u: int) =
|
2014-02-04 22:59:56 +01:00
|
|
|
a1.length = a2.length /\ 0 <= l <= a1.length /\ 0 <= u <= a1.length /\
|
2011-05-11 11:52:25 +02:00
|
|
|
map_eq_sub a1.elts a2.elts l u
|
|
|
|
|
|
2011-06-29 19:13:18 +02:00
|
|
|
predicate array_eq (a1 a2: array 'a) =
|
2014-02-04 22:59:56 +01:00
|
|
|
a1.length = a2.length /\ map_eq_sub a1.elts a2.elts 0 (length a1)
|
2011-05-11 11:52:25 +02:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2014-02-14 11:21:59 +01:00
|
|
|
module ArrayExchange
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
|
|
|
|
use map.MapExchange as M
|
2014-02-14 11:21:59 +01:00
|
|
|
|
|
|
|
|
predicate exchange (a1 a2: array 'a) (i j: int) =
|
|
|
|
|
a1.length = a2.length /\
|
|
|
|
|
M.exchange a1.elts a2.elts 0 a1.length i j
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `exchange a1 a2 i j` means that arrays `a1` and `a2` only differ
|
|
|
|
|
by the swapping of elements at indices `i` and `j` *)
|
2014-02-14 11:21:59 +01:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(** {2 Permutation} *)
|
|
|
|
|
|
2011-05-11 11:52:25 +02:00
|
|
|
module ArrayPermut
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
|
|
|
|
use map.MapPermut as M
|
|
|
|
|
use map.MapEq
|
|
|
|
|
use ArrayEq
|
2014-02-14 11:21:59 +01:00
|
|
|
use export ArrayExchange
|
|
|
|
|
|
|
|
|
|
predicate permut (a1 a2: array 'a) (l u: int) =
|
|
|
|
|
a1.length = a2.length /\ 0 <= l <= a1.length /\ 0 <= u <= a1.length /\
|
|
|
|
|
M.permut a1.elts a2.elts l u
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `permut a1 a2 l u` is true when the segment
|
|
|
|
|
`a1(l..u-1)` is a permutation of the segment `a2(l..u-1)`.
|
|
|
|
|
Values outside of the interval `(l..u-1)` are ignored. *)
|
2014-02-14 11:21:59 +01:00
|
|
|
|
|
|
|
|
predicate permut_sub (a1 a2: array 'a) (l u: int) =
|
|
|
|
|
map_eq_sub a1.elts a2.elts 0 l /\
|
|
|
|
|
permut a1 a2 l u /\
|
|
|
|
|
map_eq_sub a1.elts a2.elts u (length a1)
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `permut_sub a1 a2 l u` is true when the segment
|
|
|
|
|
`a1(l..u-1)` is a permutation of the segment `a2(l..u-1)`
|
|
|
|
|
and values outside of the interval `(l..u-1)` are equal. *)
|
2014-02-14 11:21:59 +01:00
|
|
|
|
|
|
|
|
predicate permut_all (a1 a2: array 'a) =
|
|
|
|
|
a1.length = a2.length /\ M.permut a1.elts a2.elts 0 a1.length
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `permut_all a1 a2 l u` is true when array `a1` is a permutation
|
|
|
|
|
of array `a2`. *)
|
2014-02-14 11:21:59 +01:00
|
|
|
|
|
|
|
|
lemma exchange_permut_sub:
|
|
|
|
|
forall a1 a2: array 'a, i j l u: int.
|
|
|
|
|
exchange a1 a2 i j -> l <= i < u -> l <= j < u ->
|
|
|
|
|
0 <= l -> u <= length a1 -> permut_sub a1 a2 l u
|
|
|
|
|
|
2021-01-13 11:09:39 +01:00
|
|
|
lemma permut_sub_trans:
|
|
|
|
|
forall a1 a2 a3: array 'a, l u: int.
|
|
|
|
|
0 <= l -> u <= length a1 -> permut_sub a1 a2 l u ->
|
|
|
|
|
permut_sub a2 a3 l u -> permut_sub a1 a3 l u
|
|
|
|
|
|
2014-02-14 11:21:59 +01:00
|
|
|
(** we can always enlarge the interval *)
|
|
|
|
|
lemma permut_sub_weakening:
|
|
|
|
|
forall a1 a2: array 'a, l1 u1 l2 u2: int.
|
|
|
|
|
permut_sub a1 a2 l1 u1 -> 0 <= l2 <= l1 -> u1 <= u2 <= length a1 ->
|
|
|
|
|
permut_sub a1 a2 l2 u2
|
|
|
|
|
|
|
|
|
|
lemma exchange_permut_all:
|
|
|
|
|
forall a1 a2: array 'a, i j: int.
|
|
|
|
|
exchange a1 a2 i j -> permut_all a1 a2
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2013-03-04 13:25:25 +01:00
|
|
|
module ArraySwap
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
2014-02-14 11:21:59 +01:00
|
|
|
use export ArrayExchange
|
2013-03-04 13:25:25 +01:00
|
|
|
|
|
|
|
|
let swap (a:array 'a) (i:int) (j:int) : unit
|
|
|
|
|
requires { 0 <= i < length a /\ 0 <= j < length a }
|
2014-01-09 16:13:55 +01:00
|
|
|
writes { a }
|
2013-03-04 13:25:25 +01:00
|
|
|
ensures { exchange (old a) a i j }
|
2014-02-12 19:50:04 +01:00
|
|
|
= let v = a[i] in
|
2014-02-06 11:20:41 +01:00
|
|
|
a[i] <- a[j];
|
|
|
|
|
a[j] <- v
|
2013-03-04 13:25:25 +01:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2012-05-07 15:12:08 +02:00
|
|
|
(** {2 Sum of elements} *)
|
|
|
|
|
|
2011-06-21 11:18:26 +02:00
|
|
|
module ArraySum
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use Array
|
2020-02-12 10:30:25 +01:00
|
|
|
use int.Sum as S
|
2011-06-21 11:18:26 +02:00
|
|
|
|
2018-06-14 08:10:07 +02:00
|
|
|
(** `sum a l h` is the sum of `a[i]` for `l <= i < h` *)
|
2020-02-12 10:30:25 +01:00
|
|
|
function sum (a: array int) (l h: int) : int = S.sum a.elts l h
|
2011-06-21 11:18:26 +02:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2014-11-23 16:22:20 +01:00
|
|
|
(** {2 Number of array elements satisfying a given predicate} *)
|
2012-07-23 19:05:07 +02:00
|
|
|
|
2014-11-23 16:22:20 +01:00
|
|
|
module NumOf
|
2018-06-15 16:45:31 +02:00
|
|
|
use Array
|
2014-11-23 16:22:20 +01:00
|
|
|
use int.NumOf as N
|
2012-07-23 19:05:07 +02:00
|
|
|
|
2018-06-14 08:10:07 +02:00
|
|
|
(** the number of `a[i]` such that `l <= i < u` and `pr i a[i]` *)
|
2014-11-24 14:18:52 +01:00
|
|
|
function numof (pr: int -> 'a -> bool) (a: array 'a) (l u: int) : int =
|
2015-08-20 13:25:30 +02:00
|
|
|
N.numof (fun i -> pr i a[i]) l u
|
2012-07-23 19:05:07 +02:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2013-01-10 13:12:49 +01:00
|
|
|
module NumOfEq
|
2018-06-15 16:45:31 +02:00
|
|
|
use Array
|
2014-11-23 16:22:20 +01:00
|
|
|
use int.NumOf as N
|
2013-01-10 13:12:49 +01:00
|
|
|
|
2018-06-14 08:10:07 +02:00
|
|
|
(** the number of `a[i]` such that `l <= i < u` and `a[i] = v` *)
|
2014-11-23 16:22:20 +01:00
|
|
|
function numof (a: array 'a) (v: 'a) (l u: int) : int =
|
2015-08-20 13:25:30 +02:00
|
|
|
N.numof (fun i -> a[i] = v) l u
|
2017-05-15 21:52:49 +02:00
|
|
|
|
2012-11-19 15:28:14 +01:00
|
|
|
end
|
2014-06-08 10:13:35 +02:00
|
|
|
|
|
|
|
|
module ToList
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
|
|
|
|
use list.List
|
2014-06-08 10:13:35 +02:00
|
|
|
|
2016-03-09 16:50:38 +01:00
|
|
|
let rec function to_list (a: array 'a) (l u: int) : list 'a
|
|
|
|
|
requires { l >= 0 /\ u <= a.length }
|
|
|
|
|
variant { u - l }
|
|
|
|
|
= if u <= l then Nil else Cons a[l] (to_list a (l+1) u)
|
2014-06-08 10:13:35 +02:00
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use list.Append
|
2017-04-20 10:34:47 +02:00
|
|
|
|
2017-05-12 14:46:14 +02:00
|
|
|
let rec lemma to_list_append (a: array 'a) (l m u: int)
|
2017-05-31 17:49:29 +02:00
|
|
|
requires { 0 <= l <= m <= u <= a.length }
|
2017-05-12 14:46:14 +02:00
|
|
|
variant { m - l }
|
|
|
|
|
ensures { to_list a l m ++ to_list a m u = to_list a l u }
|
|
|
|
|
= if l < m then to_list_append a (l+1) m u
|
2017-04-20 10:34:47 +02:00
|
|
|
|
2014-06-08 10:13:35 +02:00
|
|
|
end
|
2016-03-21 16:13:22 +01:00
|
|
|
|
|
|
|
|
module ToSeq
|
2018-06-15 16:45:31 +02:00
|
|
|
use int.Int
|
|
|
|
|
use Array
|
2016-03-21 16:13:22 +01:00
|
|
|
use seq.Seq as S
|
|
|
|
|
|
2017-06-21 16:31:22 +02:00
|
|
|
let rec function to_seq_sub (a: array 'a) (l u: int) : S.seq 'a
|
2016-06-16 08:23:43 +02:00
|
|
|
requires { l >= 0 /\ u <= a.length }
|
|
|
|
|
variant { u - l }
|
2017-06-21 16:31:22 +02:00
|
|
|
= if u <= l then S.empty else S.cons a[l] (to_seq_sub a (l+1) u)
|
2016-03-21 16:13:22 +01:00
|
|
|
|
2017-07-19 16:55:38 +02:00
|
|
|
let rec lemma to_seq_length (a: array 'a) (l u: int)
|
2016-03-31 11:43:18 +02:00
|
|
|
requires { 0 <= l <= u <= length a }
|
|
|
|
|
variant { u - l }
|
2017-06-21 16:31:22 +02:00
|
|
|
ensures { S.length (to_seq_sub a l u) = u - l }
|
2016-03-31 11:43:18 +02:00
|
|
|
= if l < u then to_seq_length a (l+1) u
|
2016-03-21 17:19:02 +01:00
|
|
|
|
2017-07-19 16:55:38 +02:00
|
|
|
let rec lemma to_seq_nth (a: array 'a) (l i u: int)
|
2016-03-31 11:43:18 +02:00
|
|
|
requires { 0 <= l <= i < u <= length a }
|
|
|
|
|
variant { i - l }
|
2017-06-21 16:31:22 +02:00
|
|
|
ensures { S.get (to_seq_sub a l u) (i - l) = a[i] }
|
2016-03-31 11:43:18 +02:00
|
|
|
= if l < i then to_seq_nth a (l+1) i u
|
2016-03-21 17:19:02 +01:00
|
|
|
|
2017-06-21 16:31:22 +02:00
|
|
|
let function to_seq (a: array 'a) : S.seq 'a = to_seq_sub a 0 (length a)
|
|
|
|
|
meta coercion function to_seq
|
|
|
|
|
|
2014-06-08 10:13:35 +02:00
|
|
|
end
|
2017-06-29 14:46:02 +02:00
|
|
|
|
|
|
|
|
(** {2 Number of inversions in an array of integers}
|
|
|
|
|
|
|
|
|
|
We show that swapping two elements that are ill-sorted decreases
|
|
|
|
|
the number of inversions. Useful to prove the termination of
|
|
|
|
|
sorting algorithms that use swaps. *)
|
|
|
|
|
|
|
|
|
|
module Inversions
|
|
|
|
|
|
2018-06-15 16:45:31 +02:00
|
|
|
use Array
|
|
|
|
|
use ArrayExchange
|
|
|
|
|
use int.Int
|
|
|
|
|
use int.Sum
|
|
|
|
|
use int.NumOf
|
2017-06-29 14:46:02 +02:00
|
|
|
|
|
|
|
|
(* to prove termination, we count the total number of inversions *)
|
|
|
|
|
predicate inversion (a: array int) (i j: int) =
|
|
|
|
|
a[i] > a[j]
|
|
|
|
|
|
|
|
|
|
function inversions_for (a: array int) (i: int) : int =
|
|
|
|
|
numof (inversion a i) i (length a)
|
|
|
|
|
|
|
|
|
|
function inversions (a: array int) : int =
|
|
|
|
|
sum (inversions_for a) 0 (length a)
|
|
|
|
|
|
|
|
|
|
(* the key lemma to prove termination: whenever we swap two consecutive
|
|
|
|
|
values that are ill-sorted, the total number of inversions decreases *)
|
|
|
|
|
let lemma exchange_inversion (a1 a2: array int) (i0: int)
|
|
|
|
|
requires { 0 <= i0 < length a1 - 1 }
|
|
|
|
|
requires { a1[i0] > a1[i0 + 1] }
|
|
|
|
|
requires { exchange a1 a2 i0 (i0 + 1) }
|
|
|
|
|
ensures { inversions a2 < inversions a1 }
|
|
|
|
|
= assert { inversion a1 i0 (i0+1) };
|
|
|
|
|
assert { not (inversion a2 i0 (i0+1)) };
|
|
|
|
|
assert { forall i. 0 <= i < i0 ->
|
|
|
|
|
inversions_for a2 i = inversions_for a1 i
|
|
|
|
|
by numof (inversion a2 i) i (length a2)
|
|
|
|
|
= numof (inversion a2 i) i i0
|
|
|
|
|
+ numof (inversion a2 i) i0 (i0+1)
|
|
|
|
|
+ numof (inversion a2 i) (i0+1) (i0+2)
|
|
|
|
|
+ numof (inversion a2 i) (i0+2) (length a2)
|
|
|
|
|
/\ numof (inversion a1 i) i (length a1)
|
|
|
|
|
= numof (inversion a1 i) i i0
|
|
|
|
|
+ numof (inversion a1 i) i0 (i0+1)
|
|
|
|
|
+ numof (inversion a1 i) (i0+1) (i0+2)
|
|
|
|
|
+ numof (inversion a1 i) (i0+2) (length a1)
|
|
|
|
|
/\ numof (inversion a2 i) i0 (i0+1)
|
|
|
|
|
= numof (inversion a1 i) (i0+1) (i0+2)
|
|
|
|
|
/\ numof (inversion a2 i) (i0+1) (i0+2)
|
|
|
|
|
= numof (inversion a1 i) i0 (i0+1)
|
|
|
|
|
/\ numof (inversion a2 i) i i0 = numof (inversion a1 i) i i0
|
|
|
|
|
/\ numof (inversion a2 i) (i0+2) (length a2)
|
|
|
|
|
= numof (inversion a1 i) (i0+2) (length a1)
|
|
|
|
|
};
|
|
|
|
|
assert { forall i. i0 + 1 < i < length a1 ->
|
|
|
|
|
inversions_for a2 i = inversions_for a1 i };
|
|
|
|
|
assert { inversions_for a2 i0 = inversions_for a1 (i0+1)
|
|
|
|
|
by numof (inversion a1 (i0+1)) (i0+2) (length a1)
|
|
|
|
|
= numof (inversion a2 i0 ) (i0+2) (length a1) };
|
|
|
|
|
assert { 1 + inversions_for a2 (i0+1) = inversions_for a1 i0
|
|
|
|
|
by numof (inversion a1 i0) i0 (length a1)
|
|
|
|
|
= numof (inversion a1 i0) (i0+1) (length a1)
|
2017-11-07 16:46:53 +01:00
|
|
|
= 1 + numof (inversion a1 i0) (i0+2) (length a1)
|
|
|
|
|
= 1 + numof (inversion a2 (i0+1)) (i0+2) (length a2) };
|
2017-06-29 14:46:02 +02:00
|
|
|
let sum_decomp (a: array int) (i j k: int)
|
|
|
|
|
requires { 0 <= i <= j <= k <= length a = length a1 }
|
|
|
|
|
ensures { sum (inversions_for a) i k =
|
|
|
|
|
sum (inversions_for a) i j + sum (inversions_for a) j k }
|
|
|
|
|
= () in
|
|
|
|
|
let decomp (a: array int)
|
|
|
|
|
requires { length a = length a1 }
|
|
|
|
|
ensures { inversions a = sum (inversions_for a) 0 i0
|
|
|
|
|
+ inversions_for a i0
|
|
|
|
|
+ inversions_for a (i0+1)
|
|
|
|
|
+ sum (inversions_for a) (i0+2) (length a) }
|
|
|
|
|
= sum_decomp a 0 i0 (length a);
|
|
|
|
|
sum_decomp a i0 (i0+1) (length a);
|
|
|
|
|
sum_decomp a (i0+1) (i0+2) (length a);
|
|
|
|
|
in
|
|
|
|
|
decomp a1; decomp a2;
|
|
|
|
|
()
|
|
|
|
|
|
|
|
|
|
end
|
