list_rev : in M2 simplify with only one footprint. Coq proofs

examples/programs/list_rev/list_rev.mlw_M2_frame_list_1.v

+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below    *)
+Require Import ZArith.
+Require Import Rbase.
+Definition unit  := unit.
+
+Parameter ignore: forall (a:Type), a  -> unit.
+
+Implicit Arguments ignore.
+
+Parameter label_ : Type.
+
+Parameter at1: forall (a:Type), a -> label_  -> a.
+
+Implicit Arguments at1.
+
+Parameter old: forall (a:Type), a  -> a.
+
+Implicit Arguments old.
+
+Parameter ref : forall (a:Type), Type.
+
+Parameter t : forall (a:Type) (b:Type), Type.
+
+Parameter get: forall (a:Type) (b:Type), (t a b) -> a  -> b.
+
+Implicit Arguments get.
+
+Parameter set: forall (a:Type) (b:Type), (t a b) -> a -> b  -> (t a b).
+
+Implicit Arguments set.
+
+Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(t a b)), forall (a1:a)
+  (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1).
+
+Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(t a b)),
+  forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
+  a2) = (get m a2)).
+
+Parameter create_const: forall (b:Type) (a:Type), b  -> (t a b).
+
+Set Contextual Implicit.
+Implicit Arguments create_const.
+Unset Contextual Implicit.
+
+Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
+  ((get (create_const(b1):(t a b)) a1) = b1).
+
+Parameter pointer : Type.
+
+Definition next  := (t pointer pointer).
+
+Parameter null:  pointer.
+
+
+Parameter value:  (t pointer Z).
+
+
+Parameter next1:  (t pointer pointer).
+
+
+Inductive is_list : (t pointer pointer) -> pointer -> Prop :=
+  | is_list_null : forall (next2:(t pointer pointer)) (p:pointer),
+      (p = (null )) -> (is_list next2 p)
+  | is_list_next : forall (next3:(t pointer pointer)) (p:pointer),
+      (~ (p = (null ))) -> ((is_list next3 (get next3 p)) -> (is_list next3
+      p)).
+
+Parameter ft : forall (a:Type), Type.
+
+Parameter in_ft: pointer -> (ft pointer)  -> Prop.
+
+
+Parameter list_ft: (t pointer pointer) -> pointer  -> (ft pointer).
+
+
+Axiom list_ft_node_null_cor : forall (next4:(t pointer pointer)) (q:pointer)
+  (p:pointer), (q = (null )) -> ~ (in_ft p (list_ft next4 q)).
+
+Axiom list_ft_node_next1 : forall (next5:(t pointer pointer)) (q:pointer)
+  (p:pointer), (~ (q = (null ))) -> ((is_list next5 (get next5 q)) ->
+  ((in_ft p (list_ft next5 (get next5 q))) -> (in_ft p (list_ft next5 q)))).
+
+Axiom list_ft_node_next2 : forall (next6:(t pointer pointer)) (q:pointer),
+  (~ (q = (null ))) -> ((is_list next6 (get next6 q)) -> (in_ft q
+  (list_ft next6 q))).
+
+Axiom list_ft_node_next_inv : forall (next7:(t pointer pointer)) (q:pointer)
+  (p:pointer), (~ (q = (null ))) -> ((is_list next7 (get next7 q)) ->
+  ((~ (q = p)) -> ((in_ft p (list_ft next7 q)) -> (in_ft p (list_ft next7
+  (get next7 q)))))).
+
+Theorem frame_list : forall (next8:(t pointer pointer)) (p:pointer)
+  (q:pointer) (v:pointer), (~ (in_ft q (list_ft next8 p))) -> ((is_list next8
+  p) -> (is_list (set next8 q v) p)).
+(* YOU MAY EDIT THE PROOF BELOW *)
+intros.
+induction H0.
+apply (is_list_null _ _ H0).
+apply (is_list_next _ _ H0).
+assert (q<>p) by (intro eq;apply H;rewrite eq;clear eq;apply (list_ft_node_next2 _ _ H0 H1)).
+rewrite (Select_neq _ _ _ _ _ _ H2).
+apply IHis_list.
+contradict H.
+exact (list_ft_node_next1 _ _ _ H0 H1 H).
+Qed.
+(* DO NOT EDIT BELOW *)
+
+

examples/programs/list_rev/list_rev.mlw_M2_frame_list_ft_1.v

+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below    *)
+Require Import ZArith.
+Require Import Rbase.
+Definition unit  := unit.
+
+Parameter ignore: forall (a:Type), a  -> unit.
+
+Implicit Arguments ignore.
+
+Parameter label_ : Type.
+
+Parameter at1: forall (a:Type), a -> label_  -> a.
+
+Implicit Arguments at1.
+
+Parameter old: forall (a:Type), a  -> a.
+
+Implicit Arguments old.
+
+Definition ref (a:Type) := a.
+
+Parameter map : forall (a:Type) (b:Type), Type.
+
+Parameter get: forall (a:Type) (b:Type), (map a b) -> a  -> b.
+
+Implicit Arguments get.
+
+Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b  -> (map a b).
+
+Implicit Arguments set.
+
+Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
+  forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
+  a2) = b1).
+
+Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
+  forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
+  a2) = (get m a2)).
+
+Parameter create_const: forall (b:Type) (a:Type), b  -> (map a b).
+
+Set Contextual Implicit.
+Implicit Arguments create_const.
+Unset Contextual Implicit.
+
+Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
+  ((get (create_const(b1):(map a b)) a1) = b1).
+
+Parameter pointer : Type.
+
+Axiom pointer_dec : forall (p1:pointer) (p2:pointer), (p1 = p2) \/
+  ~ (p1 = p2).
+
+Definition next  := (map pointer pointer).
+
+Parameter null:  pointer.
+
+
+Parameter value:  (map pointer Z).
+
+
+Parameter next1:  (map pointer pointer).
+
+
+Inductive is_list : (map pointer pointer) -> pointer -> Prop :=
+  | is_list_null : forall (next2:(map pointer pointer)) (p:pointer),
+      (p = (null )) -> (is_list next2 p)
+  | is_list_next : forall (next2:(map pointer pointer)) (p:pointer),
+      (~ (p = (null ))) -> ((is_list next2 (get next2 p)) -> (is_list next2
+      p)).
+
+Parameter ft : forall (a:Type), Type.
+
+Parameter in_ft: pointer -> (ft pointer)  -> Prop.
+
+
+Axiom set_eq : forall (ft1:(ft pointer)) (ft2:(ft pointer)),
+  (forall (q:pointer), (in_ft q ft1) <-> (in_ft q ft2)) -> (ft1 = ft2).
+
+Parameter list_ft: (map pointer pointer) -> pointer  -> (ft pointer).
+
+
+Axiom list_ft_node_null_cor : forall (next2:(map pointer pointer))
+  (q:pointer) (p:pointer), (q = (null )) -> ~ (in_ft p (list_ft next2 q)).
+
+Axiom list_ft_node_next1 : forall (next2:(map pointer pointer)) (q:pointer)
+  (p:pointer), (~ (q = (null ))) -> ((is_list next2 (get next2 q)) ->
+  ((in_ft p (list_ft next2 (get next2 q))) -> (in_ft p (list_ft next2 q)))).
+
+Axiom list_ft_node_next2 : forall (next2:(map pointer pointer)) (q:pointer),
+  (~ (q = (null ))) -> ((is_list next2 (get next2 q)) -> (in_ft q
+  (list_ft next2 q))).
+
+Axiom list_ft_node_next_inv : forall (next2:(map pointer pointer))
+  (q:pointer) (p:pointer), (~ (q = (null ))) -> ((is_list next2 (get next2
+  q)) -> ((~ (q = p)) -> ((in_ft p (list_ft next2 q)) -> (in_ft p
+  (list_ft next2 (get next2 q)))))).
+
+Axiom frame_list : forall (next2:(map pointer pointer)) (p:pointer)
+  (q:pointer) (v:pointer), (~ (in_ft q (list_ft next2 p))) -> ((is_list next2
+  p) -> (is_list (set next2 q v) p)).
+
+Definition sep_node_list(next2:(map pointer pointer)) (p1:pointer)
+  (p2:pointer): Prop := ~ (in_ft p1 (list_ft next2 p2)).
+
+Theorem frame_list_ft : forall (next2:(map pointer pointer)) (p:pointer)
+  (q:pointer) (v:pointer), (~ (in_ft q (list_ft next2 p))) -> ((is_list next2
+  p) -> ((list_ft next2 p) = (list_ft (set next2 q v) p))).
+(* YOU MAY EDIT THE PROOF BELOW *)
+intros.
+apply set_eq.
+intros.
+split;intro.
+(** First part *)
+induction H0.
+apply (list_ft_node_null_cor _ _ _ H0) in H1;contradiction.
+(* some asserts *)
+assert (q<>p) by (intro eq;apply H;rewrite eq;clear eq;apply (list_ft_node_next2 _ _ H0 H2)).
+assert  (H2' : is_list (set next2 q v) (get (set next2 q v) p))
+by (rewrite (Select_neq _ _ _ _ _ v H3);refine (frame_list _ _ _ _ _ H2);contradict H;exact (list_ft_node_next1 _ _ _ H0 H2 H)).
+(* *)
+destruct (pointer_dec p q0).
+rewrite <- H4.
+exact (list_ft_node_next2 _ p H0 H2').
+(* p <> q0 *)
+apply (list_ft_node_next1 _ _ _ H0 H2').
+rewrite (Select_neq _ _ _ _ _ _ H3).
+apply IHis_list.
+contradict H;exact (list_ft_node_next1 _ _ _ H0 H2 H).
+exact (list_ft_node_next_inv _ _ _ H0 H2 H4 H1).
+(** Second part *)
+induction H0.
+apply (list_ft_node_null_cor _ _ _ H0) in H1;contradiction.
+(* some asserts *)
+assert (q<>p) by (intro eq;apply H;rewrite eq;clear eq;apply (list_ft_node_next2 _ _ H0 H2)).
+assert  (H2' : is_list (set next2 q v) (get (set next2 q v) p))
+by (rewrite (Select_neq _ _ _ _ _ v H3);refine (frame_list _ _ _ _ _ H2);contradict H;exact (list_ft_node_next1 _ _ _ H0 H2 H)).
+(* *)
+destruct (pointer_dec p q0).
+rewrite <- H4.
+exact (list_ft_node_next2 _ p H0 H2).
+(* p <> q0 *)
+apply (list_ft_node_next1 _ _ _ H0 H2).
+apply IHis_list.
+contradict H;exact (list_ft_node_next1 _ _ _ H0 H2 H).
+rewrite <- (Select_neq _ _ _ _ _ v H3).
+exact (list_ft_node_next_inv _ _ _ H0 H2' H4 H1).
+Qed.
+(* DO NOT EDIT BELOW *)
+
+

examples/programs/list_rev/list_rev.mlw_M2_frame_model_1.v

+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below    *)
+Require Import ZArith.
+Require Import Rbase.
+Definition unit  := unit.
+
+Parameter ignore: forall (a:Type), a  -> unit.
+
+Implicit Arguments ignore.
+
+Parameter label_ : Type.
+
+Parameter at1: forall (a:Type), a -> label_  -> a.
+
+Implicit Arguments at1.
+
+Parameter old: forall (a:Type), a  -> a.
+
+Implicit Arguments old.
+
+Parameter ref : forall (a:Type), Type.
+
+Parameter t : forall (a:Type) (b:Type), Type.
+
+Parameter get: forall (a:Type) (b:Type), (t a b) -> a  -> b.
+
+Implicit Arguments get.
+
+Parameter set: forall (a:Type) (b:Type), (t a b) -> a -> b  -> (t a b).
+
+Implicit Arguments set.
+
+Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(t a b)), forall (a1:a)
+  (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1).
+
+Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(t a b)),
+  forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
+  a2) = (get m a2)).
+
+Parameter create_const: forall (b:Type) (a:Type), b  -> (t a b).
+
+Set Contextual Implicit.
+Implicit Arguments create_const.
+Unset Contextual Implicit.
+
+Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
+  ((get (create_const(b1):(t a b)) a1) = b1).
+
+Parameter pointer : Type.
+
+Definition next  := (t pointer pointer).
+
+Parameter null:  pointer.
+
+
+Parameter value:  (t pointer Z).
+
+
+Parameter next1:  (t pointer pointer).
+
+
+Inductive is_list : (t pointer pointer) -> pointer -> Prop :=
+  | is_list_null : forall (next2:(t pointer pointer)) (p:pointer),
+      (p = (null )) -> (is_list next2 p)
+  | is_list_next : forall (next3:(t pointer pointer)) (p:pointer),
+      (~ (p = (null ))) -> ((is_list next3 (get next3 p)) -> (is_list next3
+      p)).
+
+Parameter ft : forall (a:Type), Type.
+
+Parameter in_ft: pointer -> (ft pointer)  -> Prop.
+
+
+Parameter list_ft: (t pointer pointer) -> pointer  -> (ft pointer).
+
+
+Axiom list_ft_node_null_cor : forall (next4:(t pointer pointer)) (q:pointer)
+  (p:pointer), (q = (null )) -> ~ (in_ft p (list_ft next4 q)).
+
+Axiom list_ft_node_next1 : forall (next5:(t pointer pointer)) (q:pointer)
+  (p:pointer), (~ (q = (null ))) -> ((is_list next5 (get next5 q)) ->
+  ((in_ft p (list_ft next5 (get next5 q))) -> (in_ft p (list_ft next5 q)))).
+
+Axiom list_ft_node_next2 : forall (next6:(t pointer pointer)) (q:pointer),
+  (~ (q = (null ))) -> ((is_list next6 (get next6 q)) -> (in_ft q
+  (list_ft next6 q))).
+
+Axiom list_ft_node_next_inv : forall (next7:(t pointer pointer)) (q:pointer)
+  (p:pointer), (~ (q = (null ))) -> ((is_list next7 (get next7 q)) ->
+  ((~ (q = p)) -> ((in_ft p (list_ft next7 q)) -> (in_ft p (list_ft next7
+  (get next7 q)))))).
+
+Axiom frame_list : forall (next8:(t pointer pointer)) (p:pointer) (q:pointer)
+  (v:pointer), (~ (in_ft q (list_ft next8 p))) -> ((is_list next8 p) ->
+  (is_list (set next8 q v) p)).
+
+Definition sep_node_list(next9:(t pointer pointer)) (p1:pointer)
+  (p2:pointer): Prop := ~ (in_ft p1 (list_ft next9 p2)).
+
+Axiom frame_list_ft : forall (next10:(t pointer pointer)) (p:pointer)
+  (q:pointer) (v:pointer), (~ (in_ft q (list_ft next10 p))) ->
+  ((list_ft next10 p) = (list_ft (set next10 q v) p)).
+
+Definition sep_list_list(next11:(t pointer pointer)) (p1:pointer)
+  (p2:pointer): Prop := forall (q:pointer), (~ (in_ft q (list_ft next11
+  p1))) \/ ~ (in_ft q (list_ft next11 p2)).
+
+Axiom acyclic_list : forall (next12:(t pointer pointer)) (p:pointer),
+  (~ (p = (null ))) -> ((is_list next12 p) -> (sep_node_list next12 p
+  (get next12 p))).
+
+Inductive list (a:Type) :=
+  | Nil : list a
+  | Cons : a -> (list a) -> list a.
+Set Contextual Implicit.
+Implicit Arguments Nil.
+Unset Contextual Implicit.
+Implicit Arguments Cons.
+
+Parameter infix_plpl: forall (a:Type), (list a) -> (list a)  -> (list a).
+
+Implicit Arguments infix_plpl.
+
+Axiom infix_plpl_def : forall (a:Type), forall (l1:(list a)) (l2:(list a)),
+  match l1 with
+  | Nil  => ((infix_plpl l1 l2) = l2)
+  | Cons x1 r1 => ((infix_plpl l1 l2) = (Cons x1 (infix_plpl r1 l2)))
+  end.
+
+Axiom Append_assoc : forall (a:Type), forall (l1:(list a)) (l2:(list a))
+  (l3:(list a)), ((infix_plpl l1 (infix_plpl l2
+  l3)) = (infix_plpl (infix_plpl l1 l2) l3)).
+
+Axiom Append_l_nil : forall (a:Type), forall (l:(list a)), ((infix_plpl l
+  (Nil:(list a))) = l).
+
+Parameter length: forall (a:Type), (list a)  -> Z.
+
+Implicit Arguments length.
+
+Axiom length_def : forall (a:Type), forall (l:(list a)),
+  match l with
+  | Nil  => ((length l) = 0%Z)
+  | Cons _ r => ((length l) = (1%Z + (length r))%Z)
+  end.
+
+Axiom Length_nonnegative : forall (a:Type), forall (l:(list a)),
+  (0%Z <= (length l))%Z.
+
+Axiom Length_nil : forall (a:Type), forall (l:(list a)),
+  ((length l) = 0%Z) <-> (l = (Nil:(list a))).
+
+Axiom Append_length : forall (a:Type), forall (l1:(list a)) (l2:(list a)),
+  ((length (infix_plpl l1 l2)) = ((length l1) + (length l2))%Z).
+
+Parameter mem: forall (a:Type), a -> (list a)  -> Prop.
+
+Implicit Arguments mem.
+
+Axiom mem_def : forall (a:Type), forall (x:a) (l:(list a)),
+  match l with
+  | Nil  => ~ (mem x l)
+  | Cons y r => (mem x l) <-> ((x = y) \/ (mem x r))
+  end.
+
+Axiom mem_append : forall (a:Type), forall (x:a) (l1:(list a)) (l2:(list a)),
+  (mem x (infix_plpl l1 l2)) <-> ((mem x l1) \/ (mem x l2)).
+
+Parameter reverse: forall (a:Type), (list a)  -> (list a).
+
+Implicit Arguments reverse.
+
+Axiom reverse_def : forall (a:Type), forall (l:(list a)),
+  match l with
+  | Nil  => ((reverse l) = (Nil:(list a)))
+  | Cons x r => ((reverse l) = (infix_plpl (reverse r) (Cons x (Nil:(list
+      a)))))
+  end.
+
+Axiom reverse_append : forall (a:Type), forall (l1:(list a)) (l2:(list a))
+  (x:a), ((infix_plpl (reverse (Cons x l1)) l2) = (infix_plpl (reverse l1)
+  (Cons x l2))).
+
+Axiom Reverse_length : forall (a:Type), forall (l:(list a)),
+  ((length (reverse l)) = (length l)).
+
+Parameter model: (t pointer pointer) -> pointer  -> (list pointer).
+
+
+Axiom model_def1 : forall (next13:(t pointer pointer)) (p:pointer),
+  (p = (null )) -> ((model next13 p) = (Nil:(list pointer))).
+
+Axiom model_def2 : forall (next14:(t pointer pointer)) (p:pointer),
+  (~ (p = (null ))) -> ((model next14 p) = (Cons p (model next14 (get next14
+  p)))).
+
+Theorem frame_model : forall (next15:(t pointer pointer)) (p:pointer)
+  (q:pointer) (v:pointer), (is_list next15 p) -> ((~ (in_ft q (list_ft next15
+  p))) -> ((model next15 p) = (model (set next15 q v) p))).
+(* YOU MAY EDIT THE PROOF BELOW *)
+intros.
+induction H.
+rewrite (model_def1 _ _ H).
+rewrite (model_def1 _ _ H).
+reflexivity.
+rewrite -> (model_def2 _ _ H).
+symmetry.
+rewrite -> (model_def2 _ _ H).
+symmetry.
+assert (q<>p) by (intro eq;apply H0;rewrite eq;clear eq;apply (list_ft_node_next2 _ _ H H1)).
+rewrite (Select_neq _ _ _ _ _ _ H2).
+rewrite IHis_list.
+reflexivity.
+contradict H0.
+exact (list_ft_node_next1 _ _ _  H H1 H0).
+Qed.
+(* DO NOT EDIT BELOW *)
+
+

theories/list.why

@@ -115,6 +115,9 @@ theory Reverse
     | Cons x r -> reverse r ++ Cons x Nil
   end
 
+  lemma reverse_append : forall l1 : list 'a, l2 : list 'a, x : 'a.
+  (reverse (Cons x l1)) ++ l2 = (reverse l1) ++ (Cons x l2)
+
   use import Length
 
   lemma Reverse_length :