 ... @@ -34,7 +34,8 @@ CFML tactics: ... @@ -34,7 +34,8 @@ CFML tactics: - [xcf] - [xcf] - [xsimpl], or [xsimpl X1 .. X2] (to instantiate Hexists) - [xsimpl], or [xsimpl X1 .. Hint Rewrite math_plus_one_twice math_minus_same

(** Basic operations *)
(*---------------------------------------------------------------------*)

(** 
[[ 
let example_let n =
  let a = n+1 in
  let b = n-1 in
  a + b
]] *)

Lemma example_let_spec : forall n,
  app example_let [n]
    PRE \[]
    POST (fun (v:int) => \[v = 2*n]). (* post-condition also written: POST \[= (2 * n)] *)
Proof using.
  (* use: [xcf], [xret], [xsimpl], [math];
     [xlet] is optional; if used then [xpull] is also needed. *)
  dup 3.
  { (* detailed proof *)
    xcf. xlet. xret. simpl. xpull. intros Ha.
    xlet. xret. simpl. xpull. intros Hb.
    xret. (*hnf.*) xsimpl. math. }
  { (* shorter proof *)
    xcf. xret ;=> Ha. xret ;=> Hb. xret. xsimpl. math. }
  { (* real proof *)
    xcf. xrets. xrets. xrets. math. }
Qed. (*---------------------------------------------------------------------*)

(** 
[[ 
let example_incr r =
  r := !r + 1
]] 
normalized to:
[[ 
let example_incr r =
  let x0__ := get r in
  set r (x0__ + 1)
]] *)

Lemma example_incr_spec : forall r n,
  app example_incr [r]
    PRE (r ~~> n)
    POST (fun (_:unit) => (r ~~> (n+1))).
(* post-condition also written: POST (# r ~~> (n+1)). *)
Proof using.
  (* use: [xcf], [xapp];
     [xapps] is a shortand for [xapp] followed with [subst] *)
  dup 3. { xcf. xlet. xapp. simpl. xpull. intros. subst. xapp. }
  { xcf. xapp. intros. subst. xapp. }
  { xcf. xapps. xapp. }
Qed.

(* Remark: here are the specifications of get and set from Pervasives_proof. Lemma get_spec : forall A (v:A) r,
  app get [r]
    PRE (r ~~> v)
    POST (fun x => \[x = v] \* (r ~~> v)).

Lemma set_spec : forall A (w:A) r v,
  app set [r w]
    PRE (r ~~> v)
    POST (fun (_:unit) => r ~~> w).
Qed.
*)

(*---------------------------------------------------------------------*)

(** 
[[ 
let example_two_ref n =
  let i = ref 0 in
  let r = ref n in incr i;
  r := !i + !r;
  !i + !r
]] *)

Lemma example_two_ref_spec : forall n: int,
  (* *)
  app example_two_ref [n]
    PRE \[]
    POST (fun x: int => \[ x = n+1 ]).
  (* *)
Proof using.
  { (* real proof *)
    xcf. xgo~. }
Qed. (***********************************************************************)
(** For loops *)

(*---------------------------------------------------------------------*)

(** 
[[ 
let facto_for n =
  let r = ref 1 in
  for i = 1 to n do
    r := !r * i;
  done;
  !r
]] *)

(* Reasoning principle for the loop [for i = a to b to t done] when [b+1>=a]
   implemented by tactic [xfor_inv I].
   I a                 initial invariant
   I i -> I (i+1)      when executing [t] on some [i] in the range from [a] to [b]
   I (b+1)             final invariant
*)

Lemma facto_for_spec : forall n,
  n >= 1 -> app facto_for [n]
    PRE \[]
    POST (fun (v:int) => \[v = facto n]).
Proof using.
  =>> Hn. xcf. xapps.
  xfor_inv (fun i => r ~~> (facto i)).
  { math. }
  { xsimpl. forwards: facto_zero. easy. }
  { =>> Hi. xapps. xapps. xsimpl.
    rew_maths. rewrite (@facto_succ i). ring. math. }
  xapps. xsimpl. rew_maths. auto.
Qed.

(* Remark: reasoning principle for the loop [for i = a to b to t done] when [b+1>=a]
   I a                 initial invariant
   I i -> I (i+1)      when executing [t] on some [i] in the range from [a] to [b]
   I (b+1)             final invariant
*)

(*---------------------------------------------------------------------*)

(** 
[[ 
let fib_for n =
  let a = ref 0 in
  let b = ref 1 in
  for i = 0 to n-1 do
    let c = !a + !b in
    a := !b;
    b := c;
  done;
  !a
]] *)

Lemma fib_for_spec : forall n,
  n >= 1 ->
  app fib_for [n]
    PRE \[]
    POST (fun (v:int) => \[v = fib n]).
Proof using. (* *)
  =>> Hn. xcf. xapps. xapps.
  xfor_inv (fun i => a ~~> (fib i) \* b ~~> (fib (i+1)) ).
  { math. }
  { xsimpl. rewrite~ fib_base. (* details: math. math. rewrite fib_base. *) rewrite~ fib_base. }
  { =>> Hi. xapps. xapps. xrets. xapps. xapps. xapps. xsimpl.
    rew_maths. rewrite~ (@fib_succ (i+2)). rew_maths.
    math_rewrite ((i + 2)-1 = i+1). math. }
  xapps. xsimpl~.
  (* *)
Qed. (***********************************************************************)
(** While loops *)

(*---------------------------------------------------------------------*)

(** 
[[ 
let example_while n =
  let i = ref 0 in
  let r = ref 0 in
  while !i < n do
    incr i;
    incr r;
  done;
  !r
]] *)

(* Reasoning principle for the loop [while t1 do t2] using an invariant
   implemented by tactic [xwhile_inv_basic J W].
   J b i               true for some boolean [b] and some initial index [k]
   J b i               when executing [t1] on some [i]
     -> J b' i         
   J true i            when executing [t2] on some [i], should restablish the
     -> J b' i'        invariant for some [b'] and some [i'] smaller than [i]
                       w.r.t. [W], that is [W i' i].
   J false i           for some [i] describes the final state
*)

Lemma example_while_spec : forall n,
  n >= 0 -> app example_while [n]
    PRE \[]
    POST (fun (v:int) => \[v = n]).
Proof using.
  =>> Hn. xcf. xapps. xapps.
  xwhile_inv_basic (fun b k => \[b = isTrue (k < n)] \* \[0 <= k <= n]
                             \* i ~~> k \* r ~~> k) (downto 0).
  { xsimpl~. }
  { =>> k. xpull ;=> Hb Hk. xapps. xrets. xsimpl~. }
  { =>> k. xpull ;=> Hb Hk. destruct Hb as (Hk'&Hkk). xapps. xapps. xsimpl~. }
  { =>> k. xpull ;=> Hb Hk. destruct Hb as (Hk'&Hkk). xapps. xsimpl~. }
Qed.

(*---------------------------------------------------------------------*)

(** 
[[ 
let facto_while n =
  let r = ref 1 in
  let i = ref 1 in
  while !i <= n do
    r := !i * !r;
    incr i;
  done;
  !r
]] *)

Lemma facto_while_spec : forall n,
  n >= 2 -> app facto_while [n]
    PRE \[]
    POST (fun (v:int) => \[v = facto n]).
Proof using.
  (* *)
  introv Hn. xcf. xapps. xapps.
  xwhile_inv_basic (fun b k => \[b = isTrue (k <= n)] \* \[2 <= k <= n+1]
                             \* i ~~> k \* r ~~> (facto (k-1))) (downto 2).
  { xsimpl~. rewrite~ facto_one. }
  { =>> k. xpull ;=> Hb Hk. xapps. xrets. xsimpl~. }
  { =>> k. xpull ;=> Hb Hk. destruct Hb as (Hk'&Hkk). xapps. xapps. xapps. xsimpl~.
    rewrite~ (@facto_succ (k-1)). ring_simplify. fequals. math. }
  { =>> k. xpull ;=> Hb Hk. destruct Hb as (Hk'&Hkk). xapps. xsimpl~.
    math_rewrite (k = n+1). rewrite~ facto_succ. }
Qed.

(* TODO: add demos using the other xfor and xwhile approach *)

(*---------------------------------------------------------------------*)

(** 
[[ 
let is_prime n =
  let i = ref 2 in
  let p = ref true in
  while !p && (!i * !i <= n) do
    if (n mod !i) = 0
      then p := false;
    incr i;
  done;
  !p
]] *)

Require Import Psatz. Tactic Notation "math_nia" := math_setup; nia.

Definition prime (n:int) : Prop :=
     n >= 2
  /\ (forall d, 1 < d < n -> Z.rem n d <> 0).

Lemma divide_not_prime : forall n d,
  n >= 2 ->
  1 < d < n ->
  Z.rem n d = 0 ->
  ~ prime n.
Proof using. unfolds prime. math_nia. Qed.

Lemma is_prime_spec : forall n,
  n >= 2 ->
  app is_prime [n]
    PRE \[]
    POST (fun (v:bool) => \[v = isTrue (prime n)]).
Proof using.
  => n Hn. xcf. xapps. xapps.
  xwhile_inv_basic (fun b k => Hexists (vp:bool),
       \[b = isTrue (vp && (k*k <= n))] \* \[2 <= k <= n+1]
    \* i ~~> k \* p ~~> vp
    \* \[if vp then (forall d, 1 < d < k -> Z.rem n d <> 0) else (~ prime n)])
    (downto 2).
  { xsimpl~. => d Hd. math_nia. }
  { xapps. xapps. xrets*. }
  { xapps. xapps. xrets*. }
  { xsimpl*. }
  { => k. xpull ;=> vp Hb Hp Hk.
    xclean. (* cleans up results of boolean tests *)
    destruct Hb as (Hvp&Hkk).
    xapps. xapps. math.
    xrets. xseq. (* TODO: later try to change xif to remove xseq *)
    xif (# Hexists (vp':bool), i ~~> k \* p ~~> vp' \*
           \[if vp' then (forall d, 1 < d < (k+1) -> Z.rem n d <> 0) else (~ prime n)]). { xapps. xsimpl. applys~ divide_not_prime. math_nia. }
    { xrets. rewrite Hvp in *. =>> Hd. tests: (d = k). auto. applys~ Hp. }
    xpull ;=> vp' Hvp'. xapps. xsimpl.
    rewrite Hvp'. case_if~. math. }
  { => k. xpull ;=> vp Hb Hp Hk. destruct Hb as (Hvp&Hkk).
    xapps. xsimpl. rewrite Hvp. unfolds prime. rew_istrue. extens. iff (** Recursion *) (** Recursion *) (*---------------------------------------------------------------------*) (*---------------------------------------------------------------------*) (*---- let rec facto_rec n = (** if n <= 1 [[ then 1 let rec facto_rec n = else n * facto_rec(n-1) if n <= 1 ----*) then 1 else n * facto_rec(n-1) ]] *) Lemma facto_rec_spec : forall n, Lemma facto_rec_spec : forall n, n >= 1 -> n >= 1 -> ... @@ -497,18 +504,21 @@ Proof using. ... @@ -497,18 +504,21 @@ Proof using. => n. induction_wf IH: (downto 0) n. unfolds downto. => Hn. => n. induction_wf IH: (downto 0) n. unfolds downto. => Hn. xcf. xif. xcf. xif. { xrets. math_rewrite (n=1). rewrite~ facto_one. } { xrets. math_rewrite (n=1). rewrite~ facto_one. } { xapps. math. math. (* could be written [xapps~] *) { xapps. math. math. (* optimization: could be written [xapps~] *) xrets. rewrite~ (@facto_succ n). } xrets. rewrite~ (@facto_succ n). } Qed. Qed. (*---------------------------------------------------------------------*) (*---------------------------------------------------------------------*) (*---- let rec fib_rec n = (** if n <= 1 [[ then 1 let rec fib_rec n = else fib_rec(n-1) + fib_rec(n-2) if n <= 1 ----*) then 1 else fib_rec(n-1) + fib_rec(n-2) ]] *) Lemma fib_rec_spec : forall n, Lemma fib_rec_spec : forall n, n >= 0 -> n >= 0 -> ... @@ -516,6 +526,7 @@ Lemma fib_rec_spec : forall n, ... @@ -516,6 +526,7 @@ Lemma fib_rec_spec : forall n, PRE \[] PRE \[] POST (fun (v:int) => \[v = fib n]).