example decrease1: Coq proof and recursive version

c232ed5b · Jean-Christophe Filliâtre · b7c7d6f9 · c232ed5b · c232ed5b · c232ed5b
Commit c232ed5b authored May 16, 2011 by Jean-Christophe Filliâtre
3 changed files
--- a/examples/programs/decrease1.mlw
+++ b/examples/programs/decrease1.mlw
@@ -18,21 +18,38 @@ module Decrease1
    forall a: array int. decrease1 a ->
    forall i j: int. 0 <= i <= j < length a -> a[j] >= a[i] + i - j

-  exception Found int
+  exception Found

  let search (a: array int) =
    { decrease1 a }
    let i = ref 0 in
-    while !i < length a do
-      invariant { 0 <= i and 
-                  forall j: int. 0 <= j < i -> j < length a -> a[j] <> 0 }
-      variant   { length a - i }
-      if get a !i = 0 then raise (Found !i);
-      if get a !i > 0 then i := !i + get a !i else i := !i + 1
-    done
-    { forall j: int. 0 <= j < length a -> a[j] <> 0 } 
-    | Found -> { 0 <= result < length a and a[result] = 0 and 
-                 forall j: int. 0 <= j < result -> a[j] <> 0 }
+    try
+      while !i < length a do
+        invariant { 0 <= i and 
+                    forall j: int. 0 <= j < i -> j < length a -> a[j] <> 0 }
+        variant   { length a - i }
+        if get a !i = 0 then raise Found;
+        if get a !i > 0 then i := !i + get a !i else i := !i + 1
+      done;
+      -1
+    with Found -> 
+      !i
+    end
+    {  (result = -1 and forall j: int. 0 <= j < length a -> a[j] <> 0)
+    or (0 <= result < length a and a[result] = 0 and 
+        forall j: int. 0 <= j < result -> a[j] <> 0) }
+
+  let rec search_rec (a: array int) (i : int) =
+    { decrease1 a and 0 <= i }
+    if i < length a then
+      if get a i = 0 then i
+      else if get a i > 0 then search_rec a (i + get a i) 
+      else search_rec a (i + 1)
+    else
+      -1
+    {  (result = -1 and forall j: int. i <= j < length a -> a[j] <> 0)
+    or (i <= result < length a and a[result] = 0 and 
+        forall j: int. i <= j < result -> a[j] <> 0) }

 end


--- a/examples/programs/decrease1/decrease1.mlw_Decrease1_decrease1_induction_2.v
+++ b/examples/programs/decrease1/decrease1.mlw_Decrease1_decrease1_induction_2.v
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below    *)
+Require Import ZArith.
+Require Import Rbase.
+Definition unit  := unit.
+
+Parameter ignore: forall (a:Type), a  -> unit.
+
+Implicit Arguments ignore.
+
+Parameter label_ : Type.
+
+Parameter at1: forall (a:Type), a -> label_  -> a.
+
+Implicit Arguments at1.
+
+Parameter old: forall (a:Type), a  -> a.
+
+Implicit Arguments old.
+
+Definition ref (a:Type) := a.
+
+Parameter map : forall (a:Type) (b:Type), Type.
+
+Parameter get: forall (a:Type) (b:Type), (map a b) -> a  -> b.
+
+Implicit Arguments get.
+
+Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b  -> (map a b).
+
+Implicit Arguments set.
+
+Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
+  forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
+  a2) = b1).
+
+Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
+  forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
+  a2) = (get m a2)).
+
+Parameter create_const: forall (b:Type) (a:Type), b  -> (map a b).
+
+Set Contextual Implicit.
+Implicit Arguments create_const.
+Unset Contextual Implicit.
+
+Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
+  ((get (create_const(b1):(map a b)) a1) = b1).
+
+Inductive array (a:Type) :=
+  | mk_array : Z -> (map Z a) -> array a.
+Implicit Arguments mk_array.
+
+Definition elts (a:Type)(u:(array a)): (map Z a) :=
+  match u with
+  | mk_array _ elts1 => elts1
+  end.
+Implicit Arguments elts.
+
+Definition length (a:Type)(u:(array a)): Z :=
+  match u with
+  | mk_array length1 _ => length1
+  end.
+Implicit Arguments length.
+
+Definition mixfix_lbrb (a:Type)(a1:(array a)) (i:Z): a := (get (elts a1) i).
+Implicit Arguments mixfix_lbrb.
+
+Definition decrease1(a:(array Z)): Prop := forall (i:Z), ((0%Z <= i)%Z /\
+  (i <  ((length a) - 1%Z)%Z)%Z) -> (((mixfix_lbrb a
+  i) - 1%Z)%Z <= (mixfix_lbrb a (i + 1%Z)%Z))%Z.
+
+Theorem decrease1_induction : forall (a:(array Z)), (decrease1 a) ->
+  forall (i:Z) (j:Z), (((0%Z <= i)%Z /\ (i <= j)%Z) /\
+  (j <  (length a))%Z) -> ((((mixfix_lbrb a
+  i) + i)%Z - j)%Z <= (mixfix_lbrb a j))%Z.
+(* YOU MAY EDIT THE PROOF BELOW *)
+unfold decrease1.
+intros a Ha i j Hij.
+generalize Hij; pattern j.
+apply (Zlt_lower_bound_ind _ i).
+2: omega.
+intuition.
+assert (x = i \/ i < x)%Z by omega.
+destruct H4.
+subst x.
+ring_simplify.
+omega.
+apply Zle_trans with (mixfix_lbrb a (x-1) - 1)%Z.
+assert (i <= x-1 < x)%Z by omega.
+assert (0 <= i <= x-1 /\ x-1 < length a)%Z by omega.
+generalize (H (x-1)%Z H8 H9); clear H; intuition.
+apply Zle_trans with (mixfix_lbrb a (x-1+1))%Z.
+apply (Ha (x-1)%Z); omega.
+ring_simplify (x-1+1)%Z.
+omega.
+Qed.
+(* DO NOT EDIT BELOW *)
+
+
--- a/examples/programs/decrease1/why3session.xml
+++ b/examples/programs/decrease1/why3session.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session SYSTEM "why3session.dtd">
+<why3session name="examples/programs/decrease1/why3session.xml">
+ <file name="../decrease1.mlw" verified="true" expanded="true">
+  <theory name="Decrease1" verified="true" expanded="true">
+   <goal name="decrease1_induction" sum="8319c3299f6c5b391aec5943ca151429" proved="true" expanded="true">
+    <proof prover="coq" timelimit="10" edited="examples/programs/decrease1/decrease1.mlw_Decrease1_decrease1_induction_2.v" obsolete="false">
+     <result status="valid" time="0.75"/>
+    </proof>
+    <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+     <result status="unknown" time="0.43"/>
+    </proof>
+   </goal>
+   <goal name="WP_search" expl="correctness of search" sum="5f9e29fcb501d5550c29bfbd1c8fd584" proved="true" expanded="true">
+    <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+     <result status="timeout" time="10.12"/>
+    </proof>
+    <transf name="split_goal" proved="true" expanded="true">
+     <goal name="WP_search.1" expl="loop invariant init" sum="5d4fd28ee3c69be535f8ee535e6cb802" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.2" expl="precondition" sum="d315642af07745fcac77676c671ffee3" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.3" expl="normal postcondition" sum="fa8f0f929008e376cd5e388239a0320a" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.05"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.4" expl="precondition" sum="026ddab308389db6e2db01c19192eb40" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.5" expl="precondition" sum="3f6bcaf82657cc2a967502da8329005b" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.6" expl="loop invariant preservation" sum="5bce229f4e8d1fc1fc6e04c42e6e408b" proved="true" expanded="true">
+      <proof prover="cvc3" timelimit="10" edited="" obsolete="false">
+       <result status="unknown" time="3.17"/>
+      </proof>
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="timeout" time="10.19"/>
+      </proof>
+      <proof prover="z3" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.10"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.7" expl="loop variant decreases" sum="996216bff5e7480e0a1fe0e3968b8ffb" proved="true" expanded="true">
+      <proof prover="cvc3" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+      <proof prover="z3" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.04"/>
+      </proof>
+      <transf name="split_goal" proved="true" expanded="true">
+       <goal name="WP_search.7.1" expl="correctness of search" sum="d97f71408572fc6c730314dd5bebfe22" proved="true" expanded="true">
+        <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+         <result status="valid" time="0.02"/>
+        </proof>
+       </goal>
+       <goal name="WP_search.7.2" expl="correctness of search" sum="1f8eb20d029c95d115aa48530508032c" proved="true" expanded="true">
+        <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+         <result status="valid" time="0.02"/>
+        </proof>
+        <proof prover="z3" timelimit="10" edited="" obsolete="false">
+         <result status="valid" time="0.03"/>
+        </proof>
+        <proof prover="yices" timelimit="10" edited="" obsolete="false">
+         <result status="valid" time="0.03"/>
+        </proof>
+       </goal>
+      </transf>
+     </goal>
+     <goal name="WP_search.8" expl="loop invariant preservation" sum="fc6718c43629f048e462fa6063b11410" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.9" expl="loop variant decreases" sum="14c9dd5d9133e195e8e688d19a5d7e19" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search.10" expl="normal postcondition" sum="ff98d91de211d86ceddf8f37215c787c" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.03"/>
+      </proof>
+     </goal>
+    </transf>
+   </goal>
+   <goal name="WP_search_rec" expl="correctness of search_rec" sum="359800e7e063b55fb2e4665ffe6c7a62" proved="true" expanded="true">
+    <proof prover="cvc3" timelimit="10" edited="" obsolete="true">
+     <result status="unknown" time="0.21"/>
+    </proof>
+    <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+     <result status="timeout" time="10.22"/>
+    </proof>
+    <proof prover="z3" timelimit="10" edited="" obsolete="true">
+     <result status="timeout" time="10.50"/>
+    </proof>
+    <transf name="split_goal" proved="true" expanded="true">
+     <goal name="WP_search_rec.1" expl="precondition" sum="b862eaa14642db1bca4cfd29e71dc85a" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.2" expl="normal postcondition" sum="028a83456b4c241f325751fe75ff7cfe" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.03"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.3" expl="precondition" sum="58493f837aaa39a3890ba4c802e46109" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.4" expl="precondition" sum="99a18ac863afa1e6b4acfb99b4d0dae6" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.5" expl="precondition" sum="44a5c5d945aad7cfe2bcc7d4adf728f2" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.6" expl="normal postcondition" sum="699e81654d2a303c491cfab413eb3501" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="false">
+       <result status="timeout" time="10.08"/>
+      </proof>
+      <proof prover="z3" timelimit="10" edited="" obsolete="false">
+       <result status="valid" time="0.24"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.7" expl="precondition" sum="9453d56ae3a433905973837d2fab5f11" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.03"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.8" expl="normal postcondition" sum="179d0569c8256c2c7e5e5730ab534329" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.05"/>
+      </proof>
+     </goal>
+     <goal name="WP_search_rec.9" expl="normal postcondition" sum="a5e3a9553c1dbb830d1064e70335f3a9" proved="true" expanded="true">
+      <proof prover="alt-ergo" timelimit="10" edited="" obsolete="true">
+       <result status="valid" time="0.02"/>
+      </proof>
+     </goal>
+    </transf>
+   </goal>
+  </theory>
+ </file>
+</why3session>