Skip to content

GitLab

why3
why3
Commit 437ed722 authored by Jean-Christophe Filliâtre's avatar Jean-Christophe Filliâtre
Browse files
Options

N-queens: proof in progress

parent 18d45331
Hide whitespace changes
Inline Side-by-side
Showing with 554 additions and 23 deletions
examples/programs/queens.mlw 0 → 100644
View file @ 437ed722
(* Verification of the following 2-lines C program solving the N-queens puzzle:
t(a,b,c){int d=0,e=a&~b&~c,f=1;if(a)for(f=0;d=(e-=d)&-e;f+=t(a-d,(b+d)*2,(
c+d)/2));return f;}main(q){scanf("%d",&q);printf("%d\n",t(~(~0<<q),0,0));}
*)
theory BitwiseArithmetic
use export int.Int
(* logical and *)
function (&) int int : int
(* logical shift left *)
function (<<) int int : int
(* logical negation *)
function (~_) int : int
end
theory Bits "the bits of an integer, as a set of integers"
use export set.Fsetint
function bits int : set int
axiom bits_0:
forall x: int. is_empty (bits x) <-> x = 0
axiom bits_remove_singleton:
forall x a b: int. bits b = singleton x -> mem x (bits a) ->
bits (a - b) = remove x (bits a)
use export BitwiseArithmetic
axiom bits_diff:
forall a b: int. bits (a & ~b) = diff (bits a) (bits b)
axiom rightmost_bit_trick:
forall x: int. x <> 0 -> bits (x & -x) = singleton (min_elt (bits x))
end
module NQueens
use import Bits
use import module arith.Int
use import module ref.Refint
use import module array.Array
(* warmup 1: termination of the loop *)
let rec t1 (a b c : int) =
if a <> 0 then begin
let e = ref (a & ~b & ~c) in
let f = ref 0 in
while !e <> 0 do variant { cardinal (bits !e) }
let d = !e & (- !e) in
f += t1 (a - d) ((b+d) * 2) ((c+d)/2);
e -= d
done;
!f
end else
1
(* warmup 2: termination of the recursive function *)
let rec t2 (a b c : int) variant { cardinal (bits a) } =
if a <> 0 then begin
let e = ref (a & ~b & ~c) in
let f = ref 0 in
while !e <> 0 do invariant { subset (bits !e) (bits a) }
let d = !e & (- !e) in
assert { bits d = singleton (min_elt (bits !e)) };
f += t2 (a - d) ((b+d) * 2) ((c+d)/2);
e -= d
done;
!f
end else
1
end
(*
Local Variables:
compile-command: "unset LANG; make -C ../.. examples/programs/queens.gui"
End:
*)
examples/programs/queens/queens_WP_NQueens_WP_parameter_t2_1.v 0 → 100644
View file @ 437ed722
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require Import ZOdiv.
Definition unit := unit.
Parameter mark : Type.
Parameter at1: forall (a:Type), a -> mark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
Parameter set : forall (a:Type), Type.
Parameter mem: forall (a:Type), a -> (set a) -> Prop.
Implicit Arguments mem.
Definition infix_eqeq (a:Type)(s1:(set a)) (s2:(set a)): Prop :=
forall (x:a), (mem x s1) <-> (mem x s2).
Implicit Arguments infix_eqeq.
Axiom extensionality : forall (a:Type), forall (s1:(set a)) (s2:(set a)),
(infix_eqeq s1 s2) -> (s1 = s2).
Definition subset (a:Type)(s1:(set a)) (s2:(set a)): Prop := forall (x:a),
(mem x s1) -> (mem x s2).
Implicit Arguments subset.
Axiom subset_trans : forall (a:Type), forall (s1:(set a)) (s2:(set a))
(s3:(set a)), (subset s1 s2) -> ((subset s2 s3) -> (subset s1 s3)).
Parameter empty: forall (a:Type), (set a).
Set Contextual Implicit.
Implicit Arguments empty.
Unset Contextual Implicit.
Definition is_empty (a:Type)(s:(set a)): Prop := forall (x:a), ~ (mem x s).
Implicit Arguments is_empty.
Axiom empty_def1 : forall (a:Type), (is_empty (empty:(set a))).
Parameter add: forall (a:Type), a -> (set a) -> (set a).
Implicit Arguments add.
Axiom add_def1 : forall (a:Type), forall (x:a) (y:a), forall (s:(set a)),
(mem x (add y s)) <-> ((x = y) \/ (mem x s)).
Parameter remove: forall (a:Type), a -> (set a) -> (set a).
Implicit Arguments remove.
Axiom remove_def1 : forall (a:Type), forall (x:a) (y:a) (s:(set a)), (mem x
(remove y s)) <-> ((~ (x = y)) /\ (mem x s)).
Axiom subset_remove : forall (a:Type), forall (x:a) (s:(set a)),
(subset (remove x s) s).
Parameter union: forall (a:Type), (set a) -> (set a) -> (set a).
Implicit Arguments union.
Axiom union_def1 : forall (a:Type), forall (s1:(set a)) (s2:(set a)) (x:a),
(mem x (union s1 s2)) <-> ((mem x s1) \/ (mem x s2)).
Parameter inter: forall (a:Type), (set a) -> (set a) -> (set a).
Implicit Arguments inter.
Axiom inter_def1 : forall (a:Type), forall (s1:(set a)) (s2:(set a)) (x:a),
(mem x (inter s1 s2)) <-> ((mem x s1) /\ (mem x s2)).
Parameter diff: forall (a:Type), (set a) -> (set a) -> (set a).
Implicit Arguments diff.
Axiom diff_def1 : forall (a:Type), forall (s1:(set a)) (s2:(set a)) (x:a),
(mem x (diff s1 s2)) <-> ((mem x s1) /\ ~ (mem x s2)).
Axiom subset_diff : forall (a:Type), forall (s1:(set a)) (s2:(set a)),
(subset (diff s1 s2) s1).
Parameter cardinal: forall (a:Type), (set a) -> Z.
Implicit Arguments cardinal.
Axiom cardinal_nonneg : forall (a:Type), forall (s:(set a)),
(0%Z <= (cardinal s))%Z.
Axiom cardinal_empty : forall (a:Type), forall (s:(set a)),
((cardinal s) = 0%Z) <-> (is_empty s).
Axiom cardinal_add : forall (a:Type), forall (x:a), forall (s:(set a)),
(~ (mem x s)) -> ((cardinal (add x s)) = (1%Z + (cardinal s))%Z).
Axiom cardinal_remove : forall (a:Type), forall (x:a), forall (s:(set a)),
(mem x s) -> ((cardinal s) = (1%Z + (cardinal (remove x s)))%Z).
Axiom cardinal_subset : forall (a:Type), forall (s1:(set a)) (s2:(set a)),
(subset s1 s2) -> ((cardinal s1) <= (cardinal s2))%Z.
Parameter min_elt: (set Z) -> Z.
Axiom min_elt_def1 : forall (s:(set Z)), (~ (is_empty s)) -> (mem (min_elt s)
s).
Axiom min_elt_def2 : forall (s:(set Z)), (~ (is_empty s)) -> forall (x:Z),
(mem x s) -> ((min_elt s) <= x)%Z.
Parameter max_elt: (set Z) -> Z.
Axiom max_elt_def1 : forall (s:(set Z)), (~ (is_empty s)) -> (mem (max_elt s)
s).
Axiom max_elt_def2 : forall (s:(set Z)), (~ (is_empty s)) -> forall (x:Z),
(mem x s) -> (x <= (max_elt s))%Z.
Parameter below: Z -> (set Z).
Axiom below_def : forall (x:Z) (n:Z), (mem x (below n)) <-> ((0%Z <= x)%Z /\
(x < n)%Z).
Parameter bits: Z -> (set Z).
Axiom bits_0 : forall (x:Z), (is_empty (bits x)) <-> (x = 0%Z).
Axiom bits_remove_singleton : forall (x:Z) (a:Z) (b:Z), ((bits b) = (add x
(empty:(set Z)))) -> ((mem x (bits a)) -> ((bits (a - b)%Z) = (remove x
(bits a)))).
Parameter infix_et: Z -> Z -> Z.
Parameter infix_lsls: Z -> Z -> Z.
Parameter prefix_tl: Z -> Z.
Axiom bits_diff : forall (a:Z) (b:Z), ((bits (infix_et a
(prefix_tl b))) = (diff (bits a) (bits b))).
Axiom rightmost_bit_trick : forall (x:Z), (~ (x = 0%Z)) -> ((bits (infix_et x
(-x)%Z)) = (add (min_elt (bits x)) (empty:(set Z)))).
Axiom Abs_pos : forall (x:Z), (0%Z <= (Zabs x))%Z.
Axiom Div_mod : forall (x:Z) (y:Z), (~ (y = 0%Z)) ->
(x = ((y * (ZOdiv x y))%Z + (ZOmod x y))%Z).
Axiom Div_bound : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) ->
((0%Z <= (ZOdiv x y))%Z /\ ((ZOdiv x y) <= x)%Z).
Axiom Mod_bound : forall (x:Z) (y:Z), (~ (y = 0%Z)) ->
(((-(Zabs y))%Z < (ZOmod x y))%Z /\ ((ZOmod x y) < (Zabs y))%Z).
Axiom Div_sign_pos : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) ->
(0%Z <= (ZOdiv x y))%Z.
Axiom Div_sign_neg : forall (x:Z) (y:Z), ((x <= 0%Z)%Z /\ (0%Z < y)%Z) ->
((ZOdiv x y) <= 0%Z)%Z.
Axiom Mod_sign_pos : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ ~ (y = 0%Z)) ->
(0%Z <= (ZOmod x y))%Z.
Axiom Mod_sign_neg : forall (x:Z) (y:Z), ((x <= 0%Z)%Z /\ ~ (y = 0%Z)) ->
((ZOmod x y) <= 0%Z)%Z.
Axiom Rounds_toward_zero : forall (x:Z) (y:Z), (~ (y = 0%Z)) ->
((Zabs ((ZOdiv x y) * y)%Z) <= (Zabs x))%Z.
Axiom Div_1 : forall (x:Z), ((ZOdiv x 1%Z) = x).
Axiom Mod_1 : forall (x:Z), ((ZOmod x 1%Z) = 0%Z).
Axiom Div_inf : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (x < y)%Z) ->
((ZOdiv x y) = 0%Z).
Axiom Mod_inf : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (x < y)%Z) ->
((ZOmod x y) = x).
Axiom Div_mult : forall (x:Z) (y:Z) (z:Z), ((0%Z < x)%Z /\ ((0%Z <= y)%Z /\
(0%Z <= z)%Z)) -> ((ZOdiv ((x * y)%Z + z)%Z x) = (y + (ZOdiv z x))%Z).
Axiom Mod_mult : forall (x:Z) (y:Z) (z:Z), ((0%Z < x)%Z /\ ((0%Z <= y)%Z /\
(0%Z <= z)%Z)) -> ((ZOmod ((x * y)%Z + z)%Z x) = (ZOmod z x)).
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
Definition contents (a:Type)(u:(ref a)): a :=
match u with
| mk_ref contents1 => contents1
end.
Implicit Arguments contents.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set1: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set1.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set1 m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set1 m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const(
b1):(map a b)) a1) = b1).
Inductive array (a:Type) :=
| mk_array : Z -> (map Z a) -> array a.
Implicit Arguments mk_array.
Definition elts (a:Type)(u:(array a)): (map Z a) :=
match u with
| mk_array _ elts1 => elts1
end.
Implicit Arguments elts.
Definition length (a:Type)(u:(array a)): Z :=
match u with
| mk_array length1 _ => length1
end.
Implicit Arguments length.
Definition get1 (a:Type)(a1:(array a)) (i:Z): a := (get (elts a1) i).
Implicit Arguments get1.
Definition set2 (a:Type)(a1:(array a)) (i:Z) (v:a): (array a) :=
match a1 with
| mk_array xcl0 _ => (mk_array xcl0 (set1 (elts a1) i v))
end.
Implicit Arguments set2.
(* YOU MAY EDIT THE CONTEXT BELOW *)
(* DO NOT EDIT BELOW *)
Theorem WP_parameter_t2 : forall (a:Z), (~ (a = 0%Z)) -> forall (f:Z),
forall (e:Z), (subset (bits e) (bits a)) -> ((~ (e = 0%Z)) ->
(((bits (infix_et e (-e)%Z)) = (add (min_elt (bits e)) (empty:(set Z)))) ->
((~ (2%Z = 0%Z)) -> (((0%Z <= (cardinal (bits a)))%Z /\
((cardinal (bits (a - (infix_et e
(-e)%Z))%Z)) < (cardinal (bits a)))%Z) -> forall (result:Z),
forall (f1:Z), (f1 = (f + result)%Z) -> forall (e1:Z),
(e1 = (e - (infix_et e (-e)%Z))%Z) -> (subset (bits e1) (bits a)))))).
(* YOU MAY EDIT THE PROOF BELOW *)
intuition.
assert (bits e1 = remove (min_elt (bits e)) (bits e)).
subst e1.
apply bits_remove_singleton.
apply rightmost_bit_trick.
omega.
apply min_elt_def1.
generalize (bits_0 e); intuition.
apply subset_trans with (bits e); auto.
rewrite H8.
apply subset_remove; auto.
Qed.
(* DO NOT EDIT BELOW *)
examples/programs/queens/why3session.xml 0 → 100644
View file @ 437ed722
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session SYSTEM "why3session.dtd">
<why3session name="examples/programs/queens/why3session.xml">
<prover id="alt-ergo" name="Alt-Ergo" version="0.93"/>
<prover id="coq" name="Coq" version="8.2pl1"/>
<prover id="cvc3" name="CVC3" version="2.2"/>
<prover id="eprover" name="Eprover" version="1.0-004 Temi"/>
<prover id="gappa" name="Gappa" version="0.14.0"/>
<prover id="simplify" name="Simplify" version="1.5.4"/>
<prover id="spass" name="Spass" version="3.5"/>
<prover id="yices" name="Yices" version="1.0.27"/>
<prover id="z3" name="Z3" version="2.19"/>
<file name="../queens.mlw" verified="true" expanded="true">
<theory name="BitwiseArithmetic" verified="true" expanded="true">
</theory>
<theory name="Bits" verified="true" expanded="true">
</theory>
<theory name="WP NQueens" verified="true" expanded="true">
<goal name="WP_parameter t1" expl="correctness of parameter t1" sum="9844cd8c7f55016fd45ae33278e8d93f" proved="true" expanded="true" shape="iainfix =V0c0Niainfix =V2c0Nainfix <acardinalabitsV5acardinalabitsV2Aainfix <=c0acardinalabitsV2Iainfix =V5ainfix -V2ainfix &V2aprefix -V2FIainfix =V4ainfix +V1V3FFAainfix =c2c0NtFFtF">
<transf name="split_goal" proved="true" expanded="true">
<goal name="WP_parameter t1.1" expl="precondition" sum="7d8a8971a03ce57a28f3e4a1fddda896" proved="true" expanded="true" shape="ainfix =c2c0NIainfix =V2c0NFFIainfix =V0c0NF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal name="WP_parameter t1.2" expl="loop variant decreases" sum="098c3a0d333c7dfc3bc02c6d833e7a60" proved="true" expanded="true" shape="ainfix <acardinalabitsV5acardinalabitsV2Aainfix <=c0acardinalabitsV2Iainfix =V5ainfix -V2ainfix &V2aprefix -V2FIainfix =V4ainfix +V1V3FFIainfix =c2c0NIainfix =V2c0NFFIainfix =V0c0NF">
<transf name="split_goal" proved="true" expanded="true">
<goal name="WP_parameter t1.2.1" expl="correctness of parameter t1" sum="7c572289b8be1ace3edf8a30024b9aaa" proved="true" expanded="true" shape="ainfix <=c0acardinalabitsV2Iainfix =V5ainfix -V2ainfix &V2aprefix -V2FIainfix =V4ainfix +V1V3FFIainfix =c2c0NIainfix =V2c0NFFIainfix =V0c0NF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal name="WP_parameter t1.2.2" expl="correctness of parameter t1" sum="7754973086bdc451d97dc36dee15942c" proved="true" expanded="true" shape="ainfix <acardinalabitsV5acardinalabitsV2Iainfix =V5ainfix -V2ainfix &V2aprefix -V2FIainfix =V4ainfix +V1V3FFIainfix =c2c0NIainfix =V2c0NFFIainfix =V0c0NF">
<proof prover="z3" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.08"/>
</proof>
</goal>
</transf>
</goal>
<goal name="WP_parameter t1.3" expl="normal postcondition" sum="08539b7da399a7e2c76a2cfbd846123b" proved="true" expanded="true" shape="tIainfix =V2c0NNFFIainfix =V0c0NF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal name="WP_parameter t1.4" expl="normal postcondition" sum="9aef56a481bc1b058d23bb09449d3f22" proved="true" expanded="true" shape="tIainfix =V0c0NNF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
</transf>
</goal>
<goal name="WP_parameter t2" expl="correctness of parameter t2" sum="ae1c369ef635350b8f5302d7f17894c6" proved="true" expanded="true" shape="iainfix =V0c0Niainfix =V4c0NasubsetabitsV7abitsV0Iainfix =V7ainfix -V4ainfix &V4aprefix -V4FIainfix =V6ainfix +V3V5FFAtAainfix <acardinalabitsainfix -V0ainfix &V4aprefix -V4acardinalabitsV0Aainfix <=c0acardinalabitsV0Aainfix =c2c0NAainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4tIasubsetabitsV4abitsV0FFAasubsetabitsainfix &ainfix &V0aprefix ~V1aprefix ~V2abitsV0tFFF">
<transf name="split_goal" proved="true" expanded="true">
<goal name="WP_parameter t2.1" expl="loop invariant init" sum="84fd7f60ba18cd77c2a67d40008804bd" proved="true" expanded="true" shape="asubsetabitsainfix &ainfix &V0aprefix ~V1aprefix ~V2abitsV0Iainfix =V0c0NFFF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.05"/>
</proof>
</goal>
<goal name="WP_parameter t2.2" expl="assertion" sum="2a54a03011dd0ce17358573a065d9a09" proved="true" expanded="true" shape="ainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4Iainfix =V4c0NIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal name="WP_parameter t2.3" expl="precondition" sum="4f12ace363f89ac270a1ba8a478b1011" proved="true" expanded="true" shape="ainfix =c2c0NIainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4Iainfix =V4c0NIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal name="WP_parameter t2.4" expl="precondition" sum="0a21712328585890a3798a6e17b698c7" proved="true" expanded="true" shape="tAainfix <acardinalabitsainfix -V0ainfix &V4aprefix -V4acardinalabitsV0Aainfix <=c0acardinalabitsV0Iainfix =c2c0NIainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4Iainfix =V4c0NIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<transf name="split_goal" proved="true" expanded="true">
<goal name="WP_parameter t2.4.1" expl="correctness of parameter t2" sum="9ad392c07fcdd8f70b7e8ee3841ef5ef" proved="true" expanded="true" shape="ainfix <=c0acardinalabitsV0Iainfix =c2c0NIainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4Iainfix =V4c0NIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal name="WP_parameter t2.4.2" expl="correctness of parameter t2" sum="9adbc8e82df5a12fef6630e780b3861c" proved="true" expanded="true" shape="ainfix <acardinalabitsainfix -V0ainfix &V4aprefix -V4acardinalabitsV0Iainfix =c2c0NIainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4Iainfix =V4c0NIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<proof prover="z3" timelimit="10" edited="" obsolete="false">
<result status="valid" time="7.86"/>
</proof>
</goal>
</transf>
</goal>
<goal name="WP_parameter t2.5" expl="loop invariant preservation" sum="638feec51a96015020e77cb80f359a29" proved="true" expanded="true" shape="asubsetabitsV7abitsV0Iainfix =V7ainfix -V4ainfix &V4aprefix -V4FIainfix =V6ainfix +V3V5FFItAainfix <acardinalabitsainfix -V0ainfix &V4aprefix -V4acardinalabitsV0Aainfix <=c0acardinalabitsV0Iainfix =c2c0NIainfix =abitsainfix &V4aprefix -V4asingletonamin_eltabitsV4Iainfix =V4c0NIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<proof prover="coq" timelimit="10" edited="queens_WP_NQueens_WP_parameter_t2_1.v" obsolete="false">
<result status="valid" time="0.68"/>
</proof>
</goal>
<goal name="WP_parameter t2.6" expl="normal postcondition" sum="4903c9b24c965c6cefaddad3cd9820ec" proved="true" expanded="true" shape="tIainfix =V4c0NNIasubsetabitsV4abitsV0FFIainfix =V0c0NFFF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal name="WP_parameter t2.7" expl="normal postcondition" sum="a17d91fc3e9e97cdfbc4dbce099c0c9a" proved="true" expanded="true" shape="tIainfix =V0c0NNFFF">
<proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
</transf>
</goal>
</theory>
</file>
</why3session>
theories/set.why
View file @ 437ed722
......@@ -3,47 +3,70 @@ theory Set
type set 'a
(* membership *)
predicate mem 'a (set 'a)
(* equality *)
predicate (==) (s1 s2: set 'a) = forall x : 'a. mem x s1 <-> mem x s2
axiom extensionality:
forall s1 s2: set 'a. s1 == s2 -> s1 = s2
(* inclusion *)
predicate subset (s1 s2: set 'a) = forall x : 'a. mem x s1 -> mem x s2
lemma subset_trans:
forall s1 s2 s3: set 'a. subset s1 s2 -> subset s2 s3 -> subset s1 s3
(* empty set *)
function empty : set 'a
predicate is_empty (s : set 'a) = forall x : 'a. not mem x s
predicate is_empty (s: set 'a) = forall x: 'a. not (mem x s)
axiom Empty_def1 : is_empty(empty : set 'a)
axiom empty_def1: is_empty (empty : set 'a)
(* addition *)
function add 'a (set 'a) : set 'a
axiom Add_def1 :
forall x y : 'a. forall s : set 'a.
axiom add_def1:
forall x y: 'a. forall s: set 'a.
mem x (add y s) <-> x = y \/ mem x s
function singleton (x: 'a) : set 'a = add x empty
(* removal *)
function remove 'a (set 'a) : set 'a
axiom Remove_def1 :
forall x y : 'a. forall s : set 'a.
axiom remove_def1:
forall x y : 'a, s : set 'a.
mem x (remove y s) <-> x <> y /\ mem x s
lemma subset_remove:
forall x: 'a, s: set 'a. subset (remove x s) s
(* union *)
function union (set 'a) (set 'a) : set 'a
axiom Union_def1 :
forall s1 s2 : set 'a. forall x : 'a.
axiom union_def1:
forall s1 s2: set 'a, x: 'a.
mem x (union s1 s2) <-> mem x s1 \/ mem x s2
(* intersection *)
function inter (set 'a) (set 'a) : set 'a
axiom Inter_def1 :
forall s1 s2 : set 'a. forall x : 'a.
axiom inter_def1:
forall s1 s2: set 'a, x: 'a.
mem x (inter s1 s2) <-> mem x s1 /\ mem x s2
(* difference *)
function diff (set 'a) (set 'a) : set 'a
axiom Diff_def1 :
forall s1 s2 : set 'a. forall x : 'a.
mem x (diff s1 s2) <-> mem x s1 /\ not mem x s2
predicate equal(s1 s2 : set 'a) = forall x : 'a. mem x s1 <-> mem x s2
axiom diff_def1:
forall s1 s2: set 'a, x: 'a.
mem x (diff s1 s2) <-> mem x s1 /\ not (mem x s2)
predicate subset(s1 s2 : set 'a) = forall x : 'a. mem x s1 -> mem x s2
lemma subset_diff:
forall s1 s2: set 'a. subset (diff s1 s2) s1
end
......@@ -54,23 +77,53 @@ theory Fset
function cardinal (set 'a) : int
axiom Cardinal_nonneg : forall s : set 'a. cardinal s >= 0
axiom cardinal_nonneg: forall s: set 'a. cardinal s >= 0
axiom Cardinal_empty : cardinal(empty : set 'a) = 0
axiom cardinal_empty:
forall s: set 'a. cardinal s = 0 <-> is_empty s
axiom Cardinal_add :
axiom cardinal_add:
forall x : 'a. forall s : set 'a.
not mem x s -> cardinal (add x s) = 1 + cardinal s
not (mem x s) -> cardinal (add x s) = 1 + cardinal s