a stronger lemma in list.Sorted

updated proof sesssions
mergesort_list in progress

examples/insertion_sort_list/why3session.xml

@@ -24,7 +24,7 @@
     locfile="../insertion_sort_list.mlw"
     loclnum="13" loccnumb="10" loccnume="16"
     expl="VC for insert"
-    sum="cc3fc1c2b87387b1c4fa4533d749cd4e"
+    sum="2ab5530925627c4937e0de61cca52b1e"
     proved="true"
     expanded="true"
     shape="CapermutaConsV0V1V2AasortedV2LaConsV0aNilaNiliapermutaConsV0V1V6AasortedV6LaConsV3V5IapermutaConsV0V4V5AasortedV5FAasortedV4ACfaNilainfix =V7V4aConswVV1apermutaConsV0V1V8AasortedV8LaConsV0V1aleV0V3aConsVVV1IasortedV1F">
@@ -39,7 +39,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="1. postcondition"
-      sum="d94333f89c188ca295e2771d3c06616e"
+      sum="26c695c439fabd3de02286b4f293e7e6"
       proved="true"
       expanded="false"
       shape="postconditionCasortedV2LaConsV0aNilaNiltaConsVVV1IasortedV1F">
@@ -59,7 +59,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="2. postcondition"
-      sum="a90aefb24c56deed211a9a5adbe9a4bc"
+      sum="9e061c4e7ee2ace6beb1b5e9c012cd39"
       proved="true"
       expanded="false"
       shape="postconditionCapermutaConsV0V1V2LaConsV0aNilaNiltaConsVVV1IasortedV1F">
@@ -79,7 +79,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="3. postcondition"
-      sum="978c39769aacdd812aff5e13ab053fce"
+      sum="57036f30e830ba4cbbdf65329150ae67"
       proved="true"
       expanded="false"
       shape="postconditionCtaNilasortedV4LaConsV0V1IaleV0V2aConsVVV1IasortedV1F">
@@ -99,7 +99,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="4. postcondition"
-      sum="f6f2cc2d6a9a3e28c44ec8b6004aca92"
+      sum="755568401b59eb8004687a922692036e"
       proved="true"
       expanded="false"
       shape="postconditionCtaNilapermutaConsV0V1V4LaConsV0V1IaleV0V2aConsVVV1IasortedV1F">
@@ -119,7 +119,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="5. variant decrease"
-      sum="34644657d76f754487955c41435534f2"
+      sum="c8a1534df83fe53605c22aa1c7272c65"
       proved="true"
       expanded="false"
       shape="variant decreaseCtaNilCfaNilainfix =V4V3aConswVV1INaleV0V2aConsVVV1IasortedV1F">
@@ -139,7 +139,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="6. precondition"
-      sum="027752c77210629ac8042ee30c63b913"
+      sum="46429d97e19638c9c02454b481b6e6d7"
       proved="true"
       expanded="false"
       shape="preconditionCtaNilasortedV3INaleV0V2aConsVVV1IasortedV1F">
@@ -159,7 +159,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="7. postcondition"
-      sum="8d29fdf017af31d90092c8aaf0cf9b50"
+      sum="423312fc8a78607a5599ddf0b1ffd470"
       proved="true"
       expanded="false"
       shape="postconditionCtaNilasortedV5LaConsV2V4IapermutaConsV0V3V4AasortedV4FIasortedV3INaleV0V2aConsVVV1IasortedV1F">
@@ -171,7 +171,7 @@
        memlimit="1000"
        obsolete="false"
        archived="false">
-       <result status="valid" time="1.15"/>
+       <result status="valid" time="0.50"/>
       </proof>
      </goal>
      <goal
@@ -179,7 +179,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="13" loccnumb="10" loccnume="16"
       expl="8. postcondition"
-      sum="b8fe894d268a2476800098cc339892b5"
+      sum="e75d8326069d6d6391739d9c81cacbed"
       proved="true"
       expanded="true"
       shape="postconditionCtaNilapermutaConsV0V1V5LaConsV2V4IapermutaConsV0V3V4AasortedV4FIasortedV3INaleV0V2aConsVVV1IasortedV1F">
@@ -201,7 +201,7 @@
     locfile="../insertion_sort_list.mlw"
     loclnum="23" loccnumb="10" loccnume="24"
     expl="VC for insertion_sort"
-    sum="b1a299800b4664e15a2afe7c1f44ba06"
+    sum="2b90568e336e3cbfb046f2050c83c132"
     proved="true"
     expanded="true"
     shape="CapermutV0V1AasortedV1LaNilaNilapermutV0V5AasortedV5IapermutaConsV2V4V5AasortedV5FAasortedV4IapermutV3V4AasortedV4FACfaNilainfix =V6V3aConswVV0aConsVVV0F">
@@ -216,7 +216,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="23" loccnumb="10" loccnume="24"
       expl="1. postcondition"
-      sum="817683103cb88e976105ad6982bc7290"
+      sum="18c25e7f68de2e72d45f2e0907d9adba"
       proved="true"
       expanded="false"
       shape="postconditionCasortedV1LaNilaNiltaConsVVV0F">
@@ -236,7 +236,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="23" loccnumb="10" loccnume="24"
       expl="2. postcondition"
-      sum="17c1bc20bcc98a2a62255d08f0629ffd"
+      sum="1555231f2b79045ffd75b11235e469c1"
       proved="true"
       expanded="false"
       shape="postconditionCapermutV0V1LaNilaNiltaConsVVV0F">
@@ -256,7 +256,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="23" loccnumb="10" loccnume="24"
       expl="3. variant decrease"
-      sum="49daa7aafece9356fa313a12cbd9e9b0"
+      sum="8a447ef6328a2fdb85dc0aeb984dc6de"
       proved="true"
       expanded="false"
       shape="variant decreaseCtaNilCfaNilainfix =V3V2aConswVV0aConsVVV0F">
@@ -276,7 +276,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="23" loccnumb="10" loccnume="24"
       expl="4. precondition"
-      sum="42a3ae045178dfa95e3983d955cf627b"
+      sum="107d2ae80e4e5f13c8eadf3131aee2ee"
       proved="true"
       expanded="false"
       shape="preconditionCtaNilasortedV3IapermutV2V3AasortedV3FaConsVVV0F">
@@ -296,7 +296,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="23" loccnumb="10" loccnume="24"
       expl="5. postcondition"
-      sum="c66d62770e5611b4672191a30fe07831"
+      sum="9939ef6177d7435224746e2b13d887c6"
       proved="true"
       expanded="false"
       shape="postconditionCtaNilasortedV4IapermutaConsV1V3V4AasortedV4FIasortedV3IapermutV2V3AasortedV3FaConsVVV0F">
@@ -316,7 +316,7 @@
       locfile="../insertion_sort_list.mlw"
       loclnum="23" loccnumb="10" loccnume="24"
       expl="6. postcondition"
-      sum="ba5c17e2bd3c3448478bf9f75692ba7a"
+      sum="c44c4abe0a0483801f2b4d24ad14978b"
       proved="true"
       expanded="false"
       shape="postconditionCtaNilapermutV0V4IapermutaConsV1V3V4AasortedV4FIasortedV3IapermutV2V3AasortedV3FaConsVVV0F">

examples/mergesort_list.mlw

@@ -18,6 +18,8 @@ module Elt
 
 end
 
+(** recursive (and naive) merging of two sorted lists *)
+
 module Merge (* : MergeSpec *)
 
   clone export Elt
@@ -72,9 +74,15 @@ module EfficientMerge (* : MergeSpec *)
 
 end
 
+(** Mergesort.
+
+    This implementation splits the input list in two according to even- and
+    odd-order elements (see function [split] below). Thus it is not stable.
+    For a stable implementation, see below module [OCamlMergesort]. *)
+
 module Mergesort
 
-  clone import Merge
+  clone import Merge (* or EfficientMerge *)
 
   let split (l0: list 'a) : (list 'a, list 'a)
     requires { length l0 >= 2 }
@@ -103,6 +111,10 @@ module Mergesort
 
 end
 
+(** {2 OCaml's List.sort}
+
+*)
+
 module OCamlMergesort
 
   clone export Elt
@@ -110,25 +122,6 @@ module OCamlMergesort
   use import list.Reverse
   use import list.RevAppend
 
-  function prefix int (list 'a) : list 'a
-
-  axiom prefix_def1:
-    forall l: list 'a. prefix 0 l = Nil
-  axiom prefix_def2:
-    forall n: int, x: 'a, l: list 'a. n > 0 ->
-    prefix n (Cons x l) = Cons x (prefix (n-1) l)
-
-  let rec chop (n: int) (l: list 'a) : list 'a
-    requires { 0 <= n <= length l }
-    ensures  { l = prefix n l ++ result }
-    variant  { n }
-  =
-    if n = 0 then l else
-    match l with
-      | Cons _ t -> chop (n-1) t
-      | Nil -> absurd
-    end
-
   lemma sorted_reverse_cons:
     forall acc x1. sorted (reverse acc) ->
     (forall x. mem x acc -> le x x1) -> sorted (reverse (Cons x1 acc))
@@ -154,6 +147,9 @@ module OCamlMergesort
                    else rev_merge l1 t2 (Cons h2 accu)
     end
 
+  lemma sorted_reverse_mem:
+    forall x l. sorted (reverse (Cons x l)) -> forall y. mem y l -> le y x
+
   lemma sorted_reverse_cons2:
     forall x l. sorted (reverse (Cons x l)) -> sorted (reverse l)
 
@@ -172,6 +168,25 @@ module OCamlMergesort
                          else rev_merge_rev l1 t2 (Cons h2 accu)
     end
 
+  function prefix int (list 'a) : list 'a
+
+  axiom prefix_def1:
+    forall l: list 'a. prefix 0 l = Nil
+  axiom prefix_def2:
+    forall n: int, x: 'a, l: list 'a. n > 0 ->
+    prefix n (Cons x l) = Cons x (prefix (n-1) l)
+
+  let rec chop (n: int) (l: list 'a) : list 'a
+    requires { 0 <= n <= length l }
+    ensures  { l = prefix n l ++ result }
+    variant  { n }
+  =
+    if n = 0 then l else
+    match l with
+      | Cons _ t -> chop (n-1) t
+      | Nil -> absurd
+    end
+
   val sort (n: int) (l: list elt) : list elt
     requires { 2 <= n <= length l }
     ensures  { sorted result }

examples/mergesort_queue/why3session.xml

@@ -32,7 +32,7 @@
     locfile="../mergesort_queue.mlw"
     loclnum="20" loccnumb="6" loccnume="11"
     expl="VC for merge"
-    sum="33709664464e925c8c032cc33ec87826"
+    sum="f82cf76994847f6ced931a52cfe3971e"
     proved="true"
     expanded="true"
     shape="iiapermutV3ainfix ++V0V1iiiainfix <ainfix +alengthV5alengthV8ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V10V5V8ainfix ++V0V1Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV4FFANainfix =V4aNilainfix <ainfix +alengthV13alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V15V13V4ainfix ++V0V1Iainfix =V15ainfix ++V3aConsV14aNilFICfaNilainfix =V13V17Aainfix =V14V16aConsVVV5FFANainfix =V5aNilaleV6V7ICfaNilainfix =V7V18aConsVwV4FANainfix =V4aNilICfaNilainfix =V6V19aConsVwV5FANainfix =V5aNilainfix <ainfix +alengthV20alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V22V20V4ainfix ++V0V1Iainfix =V22ainfix ++V3aConsV21aNilFICfaNilainfix =V20V24Aainfix =V21V23aConsVVV5FFANainfix =V5aNilainfix =alengthV4c0ainfix <ainfix +alengthV5alengthV25ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V27V5V25ainfix ++V0V1Iainfix =V27ainfix ++V3aConsV26aNilFICfaNilainfix =V25V29Aainfix =V26V28aConsVVV4FFANainfix =V4aNilainfix =alengthV5c0ainfix >alengthV4c0iiiainfix <ainfix +alengthV5alengthV32ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V34V5V32ainfix ++V0V1Iainfix =V34ainfix ++V3aConsV33aNilFICfaNilainfix =V32V36Aainfix =V33V35aConsVVV4FFANainfix =V4aNilainfix <ainfix +alengthV37alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V39V37V4ainfix ++V0V1Iainfix =V39ainfix ++V3aConsV38aNilFICfaNilainfix =V37V41Aainfix =V38V40aConsVVV5FFANainfix =V5aNilaleV30V31ICfaNilainfix =V31V42aConsVwV4FANainfix =V4aNilICfaNilainfix =V30V43aConsVwV5FANainfix =V5aNilainfix <ainfix +alengthV44alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V46V44V4ainfix ++V0V1Iainfix =V46ainfix ++V3aConsV45aNilFICfaNilainfix =V44V48Aainfix =V45V47aConsVVV5FFANainfix =V5aNilainfix =alengthV4c0ainfix <ainfix +alengthV5alengthV49ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Aapermutainfix ++ainfix ++V51V5V49ainfix ++V0V1Iainfix =V51ainfix ++V3aConsV50aNilFICfaNilainfix =V49V53Aainfix =V50V52aConsVVV4FFANainfix =V4aNilainfix =alengthV5c0ainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FAapermutainfix ++ainfix ++V2V0V1ainfix ++V0V1Iainfix =V2aNilF">
@@ -47,7 +47,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="1. loop invariant init"
-      sum="620048eb9ff9faa9b08b4db9616ccade"
+      sum="7cad5b08e4c3600995d9200a040cfdd5"
       proved="true"
       expanded="false"
       shape="loop invariant initapermutainfix ++ainfix ++V2V0V1ainfix ++V0V1Iainfix =V2aNilF">
@@ -67,7 +67,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="2. precondition"
-      sum="1d83723f14173c9701d621d12293fa94"
+      sum="40ee6ef168976897b3bf9f26c1269467"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V4aNilIainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -87,7 +87,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="3. loop invariant preservation"
-      sum="271a5d6ee64928b5a587ae933cf50def"
+      sum="224bc1db170262c55fcb51c5d169c6d8"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V8V5V6ainfix ++V0V1Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV4FFINainfix =V4aNilIainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -107,7 +107,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="4. loop variant decrease"
-      sum="93439cd7cc3a42072fc3634c58e404e7"
+      sum="d700ac4cb1ebb7f66979f0b7b7cff6cf"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV5alengthV6ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV4FFINainfix =V4aNilIainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -127,7 +127,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="5. precondition"
-      sum="b9e1d84ada09f6d217749a08ee62894d"
+      sum="86c0e62ae5e7b4f2e4216c80c2fc78ca"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V5aNilIainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -147,7 +147,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="6. loop invariant preservation"
-      sum="6bb797977f3621e7fe40e231d45cb419"
+      sum="819baf519e9d1ba7512bee3079c9d396"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V8V6V4ainfix ++V0V1Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV5FFINainfix =V5aNilIainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -175,7 +175,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="7. loop variant decrease"
-      sum="26879ae0c042f181c572368476f802f1"
+      sum="39be4c73701e50beb561dc1c10709f59"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV6alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV5FFINainfix =V5aNilIainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -195,7 +195,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="8. precondition"
-      sum="5337c76b1c6ac0e60331b311e04e4b0a"
+      sum="2bfd41c85e90f097c4cefee30610837d"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -215,7 +215,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="9. precondition"
-      sum="cce46842cf6da5e0f1513edbdbff2872"
+      sum="d1907f423ad3ecbaec1ab082278710a6"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V4aNilICfaNilainfix =V6V7aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -235,7 +235,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="10. precondition"
-      sum="70abac67e67f3212212b50765fc2ca54"
+      sum="fe2aefd83d0a4fad98825c1355df0368"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V5aNilIaleV6V7ICfaNilainfix =V7V8aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V9aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -255,7 +255,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="11. loop invariant preservation"
-      sum="a3f28c85ddd1f1c4459887e804d4180a"
+      sum="b017883944172434a91f989251c4cafe"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V10V8V4ainfix ++V0V1Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV5FFINainfix =V5aNilIaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -283,7 +283,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="12. loop variant decrease"
-      sum="4c9b8d8c4a0e7e202ac920d1a972a120"
+      sum="4e6bc040febf70b9b64db5b748c76cac"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV8alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV5FFINainfix =V5aNilIaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -303,7 +303,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="13. precondition"
-      sum="148e7fc8d500ebb1745f506eac243edf"
+      sum="475916245e98676823dc5f019f27415d"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V4aNilINaleV6V7ICfaNilainfix =V7V8aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V9aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -323,7 +323,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="14. loop invariant preservation"
-      sum="694698cd2eed41485aaf6e5257b8d4c5"
+      sum="b3cfb77dd5468d731ada75880999c9b4"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V10V5V8ainfix ++V0V1Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV4FFINainfix =V4aNilINaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -344,7 +344,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="15. loop variant decrease"
-      sum="0c140f263d27c3353708994501db2b3d"
+      sum="1156fcb18fa38b5fc764ff759d2053e4"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV5alengthV8ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV4FFINainfix =V4aNilINaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -364,7 +364,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="16. precondition"
-      sum="4e6327a309f0ed446c12b500d73c0ee1"
+      sum="4cc9c02937c1707e6e1261dd651e8450"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V4aNilIainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -384,7 +384,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="17. loop invariant preservation"
-      sum="992fe51371ffa7233218c77561a0d0c9"
+      sum="5e353d0b39f6694c73f3664c29e6eadf"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V8V5V6ainfix ++V0V1Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV4FFINainfix =V4aNilIainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -412,7 +412,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="18. loop variant decrease"
-      sum="bffae961c7c69b54991e948a1032b9c5"
+      sum="3d7556ba9aa12f64af4a3807a572c25b"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV5alengthV6ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV4FFINainfix =V4aNilIainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -432,7 +432,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="19. precondition"
-      sum="29e50ed575409211c17e8a5893294c5b"
+      sum="a6387c50546e95ec962a05fb82c27fdb"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V5aNilIainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -452,7 +452,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="20. loop invariant preservation"
-      sum="e65fda75e5112bc1eb9b33aef6a7d515"
+      sum="59d5e018c8f46c88bc6a75f853c2a308"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V8V6V4ainfix ++V0V1Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV5FFINainfix =V5aNilIainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -472,7 +472,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="21. loop variant decrease"
-      sum="743c552082a2ec44bd193f9b9abfd28e"
+      sum="38d32fa2f839e60468a339e10f64db73"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV6alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V8ainfix ++V3aConsV7aNilFICfaNilainfix =V6V10Aainfix =V7V9aConsVVV5FFINainfix =V5aNilIainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -492,7 +492,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="22. precondition"
-      sum="296e24fc94b95335feef6b48ba10f156"
+      sum="328b20712344c7f7841d7960896fbcd7"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -512,7 +512,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="23. precondition"
-      sum="1a87ee2452fe0051b5ba807637d331e7"
+      sum="d4def8ab951c926f48aec16359c12909"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V4aNilICfaNilainfix =V6V7aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -532,7 +532,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="24. precondition"
-      sum="8ac3e748e12a4e55a1cac310ec152dd3"
+      sum="d25ba71ea9166f65f0518d2794f38160"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V5aNilIaleV6V7ICfaNilainfix =V7V8aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V9aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -552,7 +552,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="25. loop invariant preservation"
-      sum="f67a39bf9b89f87d1591afbb910751e2"
+      sum="7d500962f8d8849ea5dc1000d51223ec"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V10V8V4ainfix ++V0V1Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV5FFINainfix =V5aNilIaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -572,7 +572,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="26. loop variant decrease"
-      sum="b0df5e7e4b105bea3b8eeb299744d0d7"
+      sum="bfbcaedd6f3d9d5013eb270cbea04667"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV8alengthV4ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV5FFINainfix =V5aNilIaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -592,7 +592,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="27. precondition"
-      sum="be5157ba0c362be4972133858c5e87dc"
+      sum="47669224987d51ef91146e44877ab344"
       proved="true"
       expanded="false"
       shape="preconditionNainfix =V4aNilINaleV6V7ICfaNilainfix =V7V8aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V9aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -612,7 +612,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="28. loop invariant preservation"
-      sum="848d11aae3ba85824e0c84ae633386f6"
+      sum="aec20572472c24330ed174f62dbad707"
       proved="true"
       expanded="false"
       shape="loop invariant preservationapermutainfix ++ainfix ++V10V5V8ainfix ++V0V1Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV4FFINainfix =V4aNilINaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -632,7 +632,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="29. loop variant decrease"
-      sum="d56e18e16973d932f73370ba3b2d4f30"
+      sum="280ee3453c58805721ab7343f207b100"
       proved="true"
       expanded="false"
       shape="loop variant decreaseainfix <ainfix +alengthV5alengthV8ainfix +alengthV5alengthV4Aainfix <=c0ainfix +alengthV5alengthV4Iainfix =V10ainfix ++V3aConsV9aNilFICfaNilainfix =V8V12Aainfix =V9V11aConsVVV4FFINainfix =V4aNilINaleV6V7ICfaNilainfix =V7V13aConsVwV4FINainfix =V4aNilICfaNilainfix =V6V14aConsVwV5FINainfix =V5aNilINainfix =alengthV4c0INainfix =alengthV5c0Iainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">
@@ -652,7 +652,7 @@
       locfile="../mergesort_queue.mlw"
       loclnum="20" loccnumb="6" loccnume="11"
       expl="30. postcondition"
-      sum="879e9dca32ba1d101f477859c355673d"
+      sum="15564c22cca5b5b1b00ee338999757f2"
       proved="true"
       expanded="false"
       shape="postconditionapermutV3ainfix ++V0V1INainfix >alengthV4c0INainfix >alengthV5c0Iapermutainfix ++ainfix ++V3V5V4ainfix ++V0V1FIainfix =V2aNilF">

examples/sorted_list/why3session.xml

@@ -19,7 +19,7 @@
     name="Sorted_not_mem"
     locfile="../sorted_list.mlw"
     loclnum="9" loccnumb="8" loccnume="22"
-    sum="752c0d2c53d038c5764d6395b51584b7"
+    sum="c82f4c2802ef03b2cc478898b23b9255"
     proved="true"
     expanded="true"
     shape="NamemV0aConsV1V2IasortedaConsV1V2Iainfix <V0V1F">
@@ -37,7 +37,7 @@
     locfile="../sorted_list.mlw"
     loclnum="13" loccnumb="10" loccnume="14"
     expl="VC for find"
-    sum="8e6f6ceca73f906fe4cb7ff94deec601"
+    sum="f6f632cddc57a43cc61b51ef02faadfe"
     proved="true"
     expanded="true"
     shape="CNamemV0V1aNiliiNamemV0V1amemV0V1qainfix =V4aTrueIamemV0V3qainfix =V4aTrueFAasortedV3ACfaNilainfix =V5V3aConswVV1ainfix >V0V2amemV0V1ainfix =V0V2aConsVVV1IasortedV1F">

theories/list.why

@@ -316,8 +316,8 @@ theory Sorted
 
   lemma sorted_append:
     forall l1 l2: list t.
-    sorted l1 -> sorted l2 ->
-    (forall x y: t. mem x l1 -> mem y l2 -> le x y) ->
+    (sorted l1 /\ sorted l2 /\ (forall x y: t. mem x l1 -> mem y l2 -> le x y))
+    <->
     sorted (l1 ++ l2)
 
 end