Commit 7b1fdd68 by MARCHE Claude

### Example sumrange completed using interactive proofs.

However, it remains to specify and prove that [query] in cumulative tree is logarithmic
parent 98e4eca4
 (** {1 Range Sum Queries} We are interested in specifying and proving correct data structures that support efficient computation of the sum of the values over an arbitrary range of an array. Concretely, given an array of integers [a], and given a range delimited by indices [i] (inclusive) and [j] (exclusive), we wish to compute the value: [\sum_{k=i}^{j-1} a[k]]. In the first part, we consider a simple loop for computing the sum in linear time. In the second part, we introduce a cumulative sum array that allows answering arbitrary range queries in constant time. In the third part, we explore a tree data structure that supports modification of values from the underlying array [a], with logarithmic time operations. *) (** {2 Specification of Range Sum} *) module ArraySum use export int.Int use export array.Array (** [sum a i j] denotes the sum [\sum_{i <= k < j} a[k]]. It is axiomatizated by the two following axioms expressing the recursive definition if [i <= j] then [sum a i j = 0] if [i < j] then [sum a i j = a[i] + sum a (i+1) j] *) function sum (array int) int int : int (** [sum a i j] denotes the sum Sum_{i <= k < j} a[k] *) axiom sum_def_empty : forall a : array int, i j : int. j <= i -> sum a i j = 0 ... ... @@ -15,12 +46,11 @@ module ArraySum forall a: array int, i j : int. i < j /\ 0 <= i < a.length -> sum a i j = a[i] + sum a (i+1) j (* lemma sum_right_aux : forall a x j. 0 < j <= a.length -> 0 < x <= j -> sum a (j-x) j = sum a (j-x) (j-1) + a [j-1] *) (** lemma for summation from the right: if [i < j] then [sum a i j = sum a i (j-1) + a[j-1]] *) lemma sum_right : forall a : array int, i j : int. 0 <= i < j <= a.length -> sum a i j = sum a i (j-1) + a[j-1] ... ... @@ -29,6 +59,9 @@ end (** {2 First algorithm, a linear one} *) module Simple use import ArraySum ... ... @@ -49,10 +82,58 @@ module Simple end (** {2 Additional lemmas on [sum]} needed in the remaining code *) module ExtraLemmas use array.Array use import ArraySum (** summation in adjacent intervals *) lemma sum_concat : forall a:array int, i j k:int. 0 <= i <= j <= k <= a.length -> sum a i k = sum a i j + sum a j k (** Frame lemma for [sum], that is [sum a i j] depends only of values of [a[i..j-1]] *) lemma sum_frame : forall a1 a2 : array int, i j : int. 0 <= i <= j -> j <= a1.length -> j <= a2.length -> (forall k : int. i <= k < j -> a1[k] = a2[k]) -> sum a1 i j = sum a2 i j (** Updated lemma for [sum]: how does [sum a i j] changes when [a[k]] is changed for some [k] in [[i..j-1]] *) lemma sum_update : forall a:array int, i v l h:int. 0 <= l <= i < h <= a.length -> sum (a[i<-v]) l h = sum a l h + v - a[i] end (** {2 Algorithm 2: using a cumulative array} creation of cumulative array is linear query is in constant time array update is linear *) module CumulativeArray use array.Array use import ArraySum use ExtraLemmas predicate is_cumulative_array_for (c:array int) (a:array int) = c.length = a.length + 1 /\ ... ... @@ -69,11 +150,6 @@ module CumulativeArray done; s lemma sum_concat : forall a:array int, i j k:int. 0 <= i <= j <= k <= a.length -> sum a i k = sum a i j + sum a j k (** [query c i j a] returns the sum of elements in [a] between index [i] inclusive and index [j] exclusive, in constant time *) let query (c:array int) (i j:int) (ghost a:array int): int ... ... @@ -81,34 +157,19 @@ module CumulativeArray requires { 0 <= i <= j < c.length } ensures { result = sum a i j } = c[j] - c[i] lemma sum_frame : forall a1 a2 : array int, i j : int. 0 <= i <= j -> j <= a1.length -> j <= a2.length -> (forall k : int. i <= k < j -> a1[k] = a2[k]) -> sum a1 i j = sum a2 i j let rec lemma sum_update (a:array int) (i v l h:int) : unit requires { 0 <= l <= i < h <= a.length } variant { h } ensures { sum (a[i<-v]) l h = sum a l h + v - a[i] } = if h > i + 1 then sum_update a i v l (h-1) (*>*) (** [update c i v a] updates cell [a[i]] to value [v] and updates the cumulative array [c] accordingly *) let update (c:array int) (i:int) (v:int) (ghost a:array int) : unit requires { (**) } (**) writes { (**) } requires { is_cumulative_array_for c a } requires { 0 <= i < a.length } writes { c, a } ensures { is_cumulative_array_for c a } ensures { a[i] = v } ensures { forall k. 0 <= k < a.length /\ k <> i -> a[k] = (old a)[k] } = (* (**) } = (* assert { i = ind.low }; (Leaf { ind with isum = v }, v - ind.isum) ... ... @@ -337,23 +330,32 @@ let rec query2 (t:tree) (ghost a: array int) assert { is_tree_for l a[i<-v] t.indexes.low m }; assert { is_tree_for r' a[i<-v] m t.indexes.high }; (Node {ind with isum = ind.isum + delta} l r',delta) end(*>*) (* QUESTION 19 *) end let update (t:tree) (ghost a:array int) (i v:int) : tree requires { (**) } (**) requires { 0 <= i < a.length } requires { is_tree_for t a 0 a.length } writes { a } ensures { a[i] = v } ensures { forall k. 0 <= k < a.length /\ k <> i -> a[k] = (old a)[k] } ensures { is_tree_for result a 0 a.length } = let t,_ = (**) in = let t,_ = update_aux t i a v in a[i] <- v; t (* complexity *) (** {2 complexity analysis} We would like to prove that [query] is really logarithmic. This is non-trivial because there are two recursive calls in some cases. So far, we are only able to prove that [update] is logarithmic We express the complexity by passing a credit'' as a ghost parameter. We pose the precondition that the credit is at least equal to the depth of the tree. *) use import int.MinMax ... ... @@ -366,23 +368,22 @@ let rec query2 (t:tree) (ghost a: array int) use import ref.Ref let rec update_compl (t:tree) (i:int) (ghost a :array int) (v:int) (ghost c:ref int): (tree,int) requires { (**) } (*= depth t } variant { t } (*>*) variant { t } returns { (t',delta) -> (**) } is_tree_for t' a[i<-v] t'.indexes.low t'.indexes.high } = c := !c - 1; match t with | Leaf ind -> (**) assert { i = ind.low }; (Leaf { ind with isum = v }, v - ind.isum) | Node ind l r -> (**) end (** auxiliary result: depth of a cumulative tree is indeed logarithmic in function of the number of its elements *) use import bv.Pow2int let rec lemma depth_is_log (t:tree) (a :array int) (k:int) ... ...
 ... ... @@ -3,26 +3,27 @@ "http://why3.lri.fr/why3session.dtd"> ... ... @@ -32,107 +33,248 @@