library: map.MapPermut now defined using map.Occ

(that is, using number of occurrences)
No more definition of permutation using inductive predicates.
Impacts array.ArrayPermut; proof sessions updated.
Coq realizations for map.Occ and map.MapPermut;
proof session for array.ArrayPermut in progress

Makefile.in

@@ -865,7 +865,7 @@ COQLIBS_NUMBER = $(addprefix lib/coq/number/, $(COQLIBS_NUMBER_FILES))
 COQLIBS_SET_FILES = Set
 COQLIBS_SET = $(addprefix lib/coq/set/, $(COQLIBS_SET_FILES))
 
-COQLIBS_MAP_FILES = Map MapPermut MapInjection
+COQLIBS_MAP_FILES = Map Occ MapPermut MapInjection
 COQLIBS_MAP = $(addprefix lib/coq/map/, $(COQLIBS_MAP_FILES))
 
 COQLIBS_LIST_FILES = List Length Mem Nth NthLength HdTl NthHdTl Append NthLengthAppend Reverse

examples/algo64.mlw

@@ -21,19 +21,24 @@ module Algo64
 
   (* Algorithm 63 *)
 
-  val partition (a:array int) (m n:int) (i j:ref int) : unit
+  val partition (a: array int) (m n: int) (i j: ref int) (ghost x: ref int) :
+    unit
     requires { 0 <= m < n < length a }
     writes   { a, i, j}
     ensures  { m <= !j < !i <= n }
     ensures  { permut_sub (old a) a m (n+1) }
-    ensures  {
-      exists x:int.
-        (forall r:int. m <= r <= !j -> a[r] <= x) /\
-        (forall r:int. !j < r < !i -> a[r] = x) /\
-        (forall r:int. !i <= r <= n -> a[r] >= x) }
+    ensures  { forall r:int. m <= r <= !j -> a[r] <= !x }
+    ensures  { forall r:int. !j < r < !i -> a[r] = !x }
+    ensures  { forall r:int. !i <= r <= n -> a[r] >= !x }
 
   (* Algorithm 64 *)
 
+  predicate qs_partition (t1 t2: array int) (m n i j: int) (x: int) =
+    permut_sub t1 t2 m (n+1) /\
+    (forall k:int. m <= k <= j  -> t2[k] <= x) /\
+    (forall k:int. j <  k <  i  -> t2[k] =  x) /\
+    (forall k:int. i <= k <= n ->  t2[k] >= x)
+
   let rec quicksort (a:array int) (m n:int) : unit
     requires { 0 <= m <= n < length a }
     variant  { n - m }
@@ -42,33 +47,16 @@ module Algo64
   = if m < n then begin
       let i = ref 0 in
       let j = ref 0 in
-      partition a m n i j;
+      let ghost x = ref 42 in
+      partition a m n i j x;
 'L1:  quicksort a m !j;
-      assert { permut_sub (at a 'L1) a m (n+1) };
-      assert { forall r:int. !j < r <= n -> a[r] = (at a 'L1)[r] };
-      assert { forall r:int. m <= r <= !j ->
-        (exists s:int. m <= s <= !j /\ a[r] = (at a 'L1)[s]) &&
-        a[r] <= a[!j+1] };
+      assert { qs_partition (at a 'L1) a m n !i !j !x };
 'L2:  quicksort a !i n;
-      assert { permut_sub (at a 'L2) a m (n+1) };
-      assert { forall r:int. m <= r < !i -> a[r] = (at a 'L2)[r] };
-      assert { forall r:int. !i <= r <= n ->
-        (exists s:int. !i <= s <= n /\ a[r] = (at a 'L2)[s]) &&
-        a[r] >= a[!i-1] };
-      assert { 
-        forall r s:int. m <= r <= s <= n ->
-          if r <= !j then
-            if s <= !j then "a" a[r] <= a[s] else
-            if s <  !i then "b" a[r] <= a[s] else
-                            "c" a[r] <= a[s] else
-          if r <  !i then
-            if s <  !i then "d" a[r] <= a[s] else
-                            "e" a[r] <= a[s] else
-                            "f" a[r] <= a[s] }
+      assert { qs_partition (at a 'L2) a m n !i !j !x }
     end
 
   let qs (a:array int) : unit
-    ensures  { permut_all (old a) a }
+    ensures  { permut_all (old a) a /\ qs_partition (old a) a 0 0 0 0 0 }
     ensures  { sorted a }
   = if length a > 0 then quicksort a 0 (length a - 1)
 

examples/algo65.mlw

@@ -20,20 +20,19 @@ module Algo65
 
   (* algorithm 63 *)
 
-  val partition (a:array int) (m n:int) (i j:ref int) : unit
+  val partition (a:array int) (m n: int) (i j: ref int) (ghost x: ref int) :
+    unit
     requires { 0 <= m < n < length a }
     writes   { a, i, j }
     ensures  { m <= !j < !i <= n }
     ensures  { permut_sub (old a) a m (n+1) }
-    ensures  {
-      exists x:int.
-        (forall r:int. m <= r <= !j -> a[r] <= x) /\
-        (forall r:int. !j < r < !i -> a[r] = x) /\
-        (forall r:int. !i <= r <= n -> a[r] >= x) }
+    ensures  { forall r:int. m <= r <= !j -> a[r] <= !x }
+    ensures  { forall r:int. !j < r < !i -> a[r] = !x }
+    ensures  { forall r:int. !i <= r <= n -> a[r] >= !x }
 
   (* Algorithm 65 (fixed version) *)
 
-  let rec find (a:array int) (m n:int) (k:int) : unit 
+  let rec find (a:array int) (m n:int) (k:int) : unit
     requires { 0 <= m <= k <= n < length a }
     variant  { n - m }
     ensures  { permut_sub (old a) a m (n+1) }
@@ -42,7 +41,8 @@ module Algo65
   = if m < n then begin
       let i = ref 0 in
       let j = ref 0 in
-      partition a m n i j;
+      let ghost x = ref 42 in
+      partition a m n i j x;
 'L1:
       if k <= !j then find a m !j k;
       assert { permut_sub (at a 'L1) a m (n+1) };

examples/insertion_sort_naive.mlw

@@ -15,7 +15,7 @@ module InsertionSortNaive
   use import array.ArraySorted
   use import array.ArrayPermut
 
-  let sort (a:array int) 
+  let sort (a:array int)
     ensures { sorted a }
     ensures { permut_all (old a) a }
   =
@@ -68,7 +68,7 @@ module InsertionSortNaiveGen
   predicate sorted (a : array elt) =
     M.sorted_sub a.elts 0 a.length
 
-  let sort (a:array elt) 
+  let sort (a:array elt)
     ensures { sorted a }
     ensures { permut_all (old a) a }
   =
@@ -161,7 +161,8 @@ end
 
 module InsertionSortParamBad
 
-   (* this version is hard to prove because predicate sorted_sub applies to an array instead of a map *)
+   (* this version is hard to prove because predicate sorted_sub
+      applies to an array instead of a map *)
 
   use import int.Int
   use import ref.Ref

examples/quicksort.mlw

@@ -15,6 +15,12 @@ module Quicksort
   use import array.ArrayPermut
   use import array.ArrayEq
 
+  predicate qs_partition (t1 t2: array int) (l m r: int) (v: int) =
+    permut_sub t1 t2 l r /\
+    (forall j:int. l <= j < m -> t2[j] < v) /\
+    (forall j:int. m < j < r -> v <= t2[j]) /\
+    t2[m] = v
+
   let rec quick_rec (t: array int) (l: int) (r: int) : unit
     requires { 0 <= l <= r <= length t }
     ensures  { sorted_sub t l r }
@@ -35,19 +41,12 @@ module Quicksort
         end
       done;
   'M: swap t l !m;
-      assert { permut_sub (at t 'M) t l r };
-      assert { forall j:int. l <= j < !m -> t[j] < v };
-      assert { forall j:int. !m < j < r -> t[j] = (at t 'M)[j] };
+      assert { qs_partition (at t 'M) t l !m r v };
   'N: quick_rec t l !m;
-      assert { permut_sub (at t 'N) t l r };
-      assert { forall j:int. l <= j < !m -> t[j] < v };
-      assert { forall j:int. !m <= j < r -> t[j] = (at t 'N)[j] };
+      assert { qs_partition (at t 'N) t l !m r v };
   'O: quick_rec t (!m + 1) r;
-      assert { permut_sub (at t 'O) t l r };
-      assert { forall j:int. l <= j <= !m -> t[j] = (at t 'O)[j] };
-      assert { forall j:int. !m < j < r ->
-        (exists i:int. !m < i < r /\ t[j] = (at t 'O)[i]) &&
-        t[j] >= v }
+      assert { qs_partition (at t 'O) t l !m r v };
+      assert { qs_partition (at t 'N) t l !m r v }
     end
 
   let quicksort (t : array int) =