FoVeOOS 2011: JC's solutions

parent 12daccee
(* FoVeOOS 2011 verification competition
http://foveoos2011.cost-ic0701.org/verification-competition
Challenge 1
*)
module Max
use import module ref.Refint
use import module array.Array
let max (a: array int) =
{ length a > 0 }
let x = ref 0 in
let y = ref (length a - 1) in
while !x <> !y do
invariant {
0 <= !x <= !y < length a /\
forall i: int. (0 <= i < !x \/ !y < i < length a) ->
(a[i] <= a[!y] \/ a[i] <= a[!x])
}
variant { !y - !x }
if a[!x] <= a[!y] then incr x else decr y
done;
!x
{ 0 <= result < length a /\
forall i: int. 0 <= i < length a -> a[i] <= a[result] }
end
(*
Local Variables:
compile-command: "unset LANG; make -C ../.. examples/programs/foveoos11_challenge1.gui"
End:
*)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session SYSTEM "why3session.dtd">
<why3session
name="examples/programs/foveoos11_challenge1/why3session.xml">
<prover
id="alt-ergo"
name="Alt-Ergo"
version="0.93"/>
<prover
id="coq"
name="Coq"
version="8.2pl1"/>
<prover
id="cvc3"
name="CVC3"
version="2.2"/>
<prover
id="eprover"
name="Eprover"
version="0.7 Dhajea"/>
<prover
id="gappa"
name="Gappa"
version="0.14.0"/>
<prover
id="simplify"
name="Simplify"
version="1.5.4"/>
<prover
id="yices"
name="Yices"
version="1.0.13"/>
<prover
id="z3"
name="Z3"
version="2.13"/>
<file
name="../foveoos11_challenge1.mlw"
verified="true"
expanded="true">
<theory
name="WP Max"
verified="true"
expanded="true">
<goal
name="WP_parameter max"
expl="parameter max"
sum="224a4acf8a4bb3075540838664604ee2"
proved="true"
expanded="true"
shape="iainfix =V3V2Niainfix <=agetV1V3agetV1V2ainfix <ainfix -V2V4ainfix -V2V3Aainfix <=c0ainfix -V2V3Aainfix <=agetV1V5agetV1V4Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V4Aainfix <=c0V5FAainfix <V2V0Aainfix <=V4V2Aainfix <=c0V4Iainfix =V4ainfix +V3c1Fainfix <ainfix -V6V3ainfix -V2V3Aainfix <=c0ainfix -V2V3Aainfix <=agetV1V7agetV1V3Oainfix <=agetV1V7agetV1V6Iainfix <V7V0Aainfix <V6V7Oainfix <V7V3Aainfix <=c0V7FAainfix <V6V0Aainfix <=V3V6Aainfix <=c0V3Iainfix =V6ainfix -V2c1FAainfix <V2V0Aainfix <=c0V2Aainfix <V3V0Aainfix <=c0V3ainfix <=agetV1V8agetV1V3Iainfix <V8V0Aainfix <=c0V8FAainfix <V3V0Aainfix <=c0V3Iainfix <=agetV1V9agetV1V3Oainfix <=agetV1V9agetV1V2Iainfix <V9V0Aainfix <V2V9Oainfix <V9V3Aainfix <=c0V9FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFAainfix <=agetV1V10agetV1c0Oainfix <=agetV1V10agetV1ainfix -V0c1Iainfix <V10V0Aainfix <ainfix -V0c1V10Oainfix <V10c0Aainfix <=c0V10FAainfix <ainfix -V0c1V0Aainfix <=c0ainfix -V0c1Aainfix <=c0c0Iainfix >V0c0FF">
<transf
name="split_goal"
proved="true"
expanded="true">
<goal
name="WP_parameter max.1"
expl="loop invariant init"
sum="6ca74a56a483b3e1007d14be43e2f4cf"
proved="true"
expanded="false"
shape="ainfix <=agetV1V2agetV1c0Oainfix <=agetV1V2agetV1ainfix -V0c1Iainfix <V2V0Aainfix <ainfix -V0c1V2Oainfix <V2c0Aainfix <=c0V2FAainfix <ainfix -V0c1V0Aainfix <=c0ainfix -V0c1Aainfix <=c0c0Iainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal
name="WP_parameter max.2"
expl="precondition"
sum="eac3918eb95a958eeb2a1a18d069ccf1"
proved="true"
expanded="false"
shape="ainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V4agetV1V3Oainfix <=agetV1V4agetV1V2Iainfix <V4V0Aainfix <V2V4Oainfix <V4V3Aainfix <=c0V4FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal
name="WP_parameter max.3"
expl="precondition"
sum="728a22e2b780dd9cb9deaf11e63af5cf"
proved="true"
expanded="false"
shape="ainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V4agetV1V3Oainfix <=agetV1V4agetV1V2Iainfix <V4V0Aainfix <V2V4Oainfix <V4V3Aainfix <=c0V4FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal
name="WP_parameter max.4"
expl="loop invariant preservation"
sum="c82d2517f177d342165c31babfc20564"
proved="true"
expanded="false"
shape="ainfix <=agetV1V5agetV1V4Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V4Aainfix <=c0V5FAainfix <V2V0Aainfix <=V4V2Aainfix <=c0V4Iainfix =V4ainfix +V3c1FIainfix <=agetV1V3agetV1V2Iainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V6agetV1V3Oainfix <=agetV1V6agetV1V2Iainfix <V6V0Aainfix <V2V6Oainfix <V6V3Aainfix <=c0V6FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<transf
name="split_goal"
proved="true"
expanded="false">
<goal
name="WP_parameter max.4.1"
expl="parameter max"
sum="6de51f9a8369effccc6fe18b6bd9e63d"
proved="true"
expanded="false"
shape="ainfix <=c0V4Iainfix =V4ainfix +V3c1FIainfix <=agetV1V3agetV1V2Iainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal
name="WP_parameter max.4.2"
expl="parameter max"
sum="bde35631eb388d7d00845ccf4063ce23"
proved="true"
expanded="false"
shape="ainfix <=V4V2Iainfix =V4ainfix +V3c1FIainfix <=agetV1V3agetV1V2Iainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal
name="WP_parameter max.4.3"
expl="parameter max"
sum="93131a8028a34fb2faa8670d73514227"
proved="true"
expanded="false"
shape="ainfix <V2V0Iainfix =V4ainfix +V3c1FIainfix <=agetV1V3agetV1V2Iainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal
name="WP_parameter max.4.4"
expl="parameter max"
sum="73ee20d1d12c8c0c7b618499c0eb7a93"
proved="true"
expanded="false"
shape="ainfix <=agetV1V5agetV1V4Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V4Aainfix <=c0V5FIainfix =V4ainfix +V3c1FIainfix <=agetV1V3agetV1V2Iainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V6agetV1V3Oainfix <=agetV1V6agetV1V2Iainfix <V6V0Aainfix <V2V6Oainfix <V6V3Aainfix <=c0V6FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.04"/>
</proof>
</goal>
</transf>
</goal>
<goal
name="WP_parameter max.5"
expl="loop variant decreases"
sum="66f338c710d509830763b4a08f6e428a"
proved="true"
expanded="false"
shape="ainfix <ainfix -V2V4ainfix -V2V3Aainfix <=c0ainfix -V2V3Iainfix <=agetV1V5agetV1V4Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V4Aainfix <=c0V5FAainfix <V2V0Aainfix <=V4V2Aainfix <=c0V4Iainfix =V4ainfix +V3c1FIainfix <=agetV1V3agetV1V2Iainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V6agetV1V3Oainfix <=agetV1V6agetV1V2Iainfix <V6V0Aainfix <V2V6Oainfix <V6V3Aainfix <=c0V6FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal
name="WP_parameter max.6"
expl="loop invariant preservation"
sum="38e57fb784c343520829ef875b92ccb3"
proved="true"
expanded="false"
shape="ainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V4Iainfix <V5V0Aainfix <V4V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V4V0Aainfix <=V3V4Aainfix <=c0V3Iainfix =V4ainfix -V2c1FIainfix <=agetV1V3agetV1V2NIainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V6agetV1V3Oainfix <=agetV1V6agetV1V2Iainfix <V6V0Aainfix <V2V6Oainfix <V6V3Aainfix <=c0V6FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<transf
name="split_goal"
proved="true"
expanded="false">
<goal
name="WP_parameter max.6.1"
expl="parameter max"
sum="2d29f956d22748b306286deb0384f662"
proved="true"
expanded="false"
shape="ainfix <=c0V3Iainfix =V4ainfix -V2c1FIainfix <=agetV1V3agetV1V2NIainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.02"/>
</proof>
</goal>
<goal
name="WP_parameter max.6.2"
expl="parameter max"
sum="5665feb0da6e2b70c527b0bd24accb8b"
proved="true"
expanded="false"
shape="ainfix <=V3V4Iainfix =V4ainfix -V2c1FIainfix <=agetV1V3agetV1V2NIainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.01"/>
</proof>
</goal>
<goal
name="WP_parameter max.6.3"
expl="parameter max"
sum="0a5fa9f498a078b6d415b43682af46cb"
proved="true"
expanded="false"
shape="ainfix <V4V0Iainfix =V4ainfix -V2c1FIainfix <=agetV1V3agetV1V2NIainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal
name="WP_parameter max.6.4"
expl="parameter max"
sum="84931e47b6a981f7a592495ceba68ab0"
proved="true"
expanded="false"
shape="ainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V4Iainfix <V5V0Aainfix <V4V5Oainfix <V5V3Aainfix <=c0V5FIainfix =V4ainfix -V2c1FIainfix <=agetV1V3agetV1V2NIainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V6agetV1V3Oainfix <=agetV1V6agetV1V2Iainfix <V6V0Aainfix <V2V6Oainfix <V6V3Aainfix <=c0V6FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
</transf>
</goal>
<goal
name="WP_parameter max.7"
expl="loop variant decreases"
sum="5918f72544b13c632a2e745d0ebde696"
proved="true"
expanded="false"
shape="ainfix <ainfix -V4V3ainfix -V2V3Aainfix <=c0ainfix -V2V3Iainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V4Iainfix <V5V0Aainfix <V4V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V4V0Aainfix <=V3V4Aainfix <=c0V3Iainfix =V4ainfix -V2c1FIainfix <=agetV1V3agetV1V2NIainfix <V2V0Aainfix <=c0V2Iainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NIainfix <=agetV1V6agetV1V3Oainfix <=agetV1V6agetV1V2Iainfix <V6V0Aainfix <V2V6Oainfix <V6V3Aainfix <=c0V6FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal
name="WP_parameter max.8"
expl="normal postcondition"
sum="b67afaf2ed616cc23a61cff4b432ba2c"
proved="true"
expanded="true"
shape="ainfix <=agetV1V4agetV1V3Iainfix <V4V0Aainfix <=c0V4FAainfix <V3V0Aainfix <=c0V3Iainfix =V3V2NNIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<transf
name="split_goal"
proved="true"
expanded="true">
<goal
name="WP_parameter max.8.1"
expl="parameter max"
sum="4b812d2bcf4d3ed0b2b66070e16cdf4d"
proved="true"
expanded="false"
shape="ainfix <=c0V3Iainfix =V3V2NNIainfix <=agetV1V4agetV1V3Oainfix <=agetV1V4agetV1V2Iainfix <V4V0Aainfix <V2V4Oainfix <V4V3Aainfix <=c0V4FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
<goal
name="WP_parameter max.8.2"
expl="parameter max"
sum="de34fc2ad4e717924c07a57d4f44d17a"
proved="true"
expanded="false"
shape="ainfix <V3V0Iainfix =V3V2NNIainfix <=agetV1V4agetV1V3Oainfix <=agetV1V4agetV1V2Iainfix <V4V0Aainfix <V2V4Oainfix <V4V3Aainfix <=c0V4FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.01"/>
</proof>
</goal>
<goal
name="WP_parameter max.8.3"
expl="parameter max"
sum="a2a012d5d3c115565529cf94023c635d"
proved="true"
expanded="true"
shape="ainfix <=agetV1V4agetV1V3Iainfix <V4V0Aainfix <=c0V4FIainfix =V3V2NNIainfix <=agetV1V5agetV1V3Oainfix <=agetV1V5agetV1V2Iainfix <V5V0Aainfix <V2V5Oainfix <V5V3Aainfix <=c0V5FAainfix <V2V0Aainfix <=V3V2Aainfix <=c0V3FFIainfix >V0c0FF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.03"/>
</proof>
</goal>
</transf>
</goal>
</transf>
</goal>
</theory>
</file>
</why3session>
(* FoVeOOS 2011 verification competition
http://foveoos2011.cost-ic0701.org/verification-competition
Challenge 2
*)
module MaximumTree
use import int.Int
use import int.MinMax
type tree = Empty | Node tree int tree
predicate mem (x: int) (t: tree) = match t with
| Empty -> false
| Node l v r -> mem x l \/ x = v \/ mem x r
end
let rec maximum (t: tree) : int =
{ t <> Empty }
match t with
| Empty -> absurd
| Node Empty v Empty -> v
| Node Empty v r -> max v (maximum r)
| Node l v Empty -> max (maximum l) v
| Node l v r -> max (maximum l) (max v (maximum r))
end
{ mem result t /\ forall x: int. mem x t -> x <= result }
end
(*
Local Variables:
compile-command: "unset LANG; make -C ../.. examples/programs/foveoos11_challenge2.gui"
End:
*)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session SYSTEM "why3session.dtd">
<why3session
name="examples/programs/foveoos11_challenge2/why3session.xml">
<prover
id="alt-ergo"
name="Alt-Ergo"
version="0.93"/>
<prover
id="coq"
name="Coq"
version="8.2pl1"/>
<prover
id="cvc3"
name="CVC3"
version="2.2"/>
<prover
id="eprover"
name="Eprover"
version="0.7 Dhajea"/>
<prover
id="gappa"
name="Gappa"
version="0.14.0"/>
<prover
id="simplify"
name="Simplify"
version="1.5.4"/>
<prover
id="yices"
name="Yices"
version="1.0.13"/>
<prover
id="z3"
name="Z3"
version="2.13"/>
<file
name="../foveoos11_challenge2.mlw"
verified="true"
expanded="true">
<theory
name="WP MaximumTree"
verified="true"
expanded="true">
<goal
name="WP_parameter maximum"
expl="parameter maximum"
sum="be2c72561ff37f3f52d7a3123788f957"
proved="true"
expanded="true"
shape="CV0aEmptyfaNodeaEmptyVaEmptyainfix <=V2V1IamemV2V0FAamemV1V0aNodeaEmptyVVainfix <=V6amaxV3V5IamemV6V0FAamemamaxV3V5V0Iainfix <=V7V5IamemV7V4FAamemV5V4FAainfix =V4aEmptyNaNodeVVaEmptyainfix <=V11amaxV10V9IamemV11V0FAamemamaxV10V9V0Iainfix <=V12V10IamemV12V8FAamemV10V8FAainfix =V8aEmptyNaNodeVVVainfix <=V18amaxV16amaxV14V17IamemV18V0FAamemamaxV16amaxV14V17V0Iainfix <=V19V17IamemV19V15FAamemV17V15FAainfix =V15aEmptyNIainfix <=V20V16IamemV20V13FAamemV16V13FAainfix =V13aEmptyNIainfix =V0aEmptyNF">
<proof
prover="alt-ergo"
timelimit="10"
edited=""
obsolete="false">
<result status="valid" time="0.36"/>
</proof>
</goal>
</theory>
</file>
</why3session>
(* FoVeOOS 2011 verification competition
http://foveoos2011.cost-ic0701.org/verification-competition
Challenge 3
*)
module TwoEqualElements
use import module ref.Refint
use import module array.Array
predicate appear_twice (a: array int) (v: int) (u: int) =
exists i: int. 0 <= i < u /\ a[i] = v /\
exists j: int. 0 <= j < u /\ j <> i /\ a[j] = v
let two_equal_elements (a: array int) (n: int) =
{ length a = n+2 /\ n >= 2 /\
(forall i: int. 0 <= i < length a -> 0 <= a[i] < n) /\
exists v1: int. appear_twice a v1 (n+2) /\
exists v2: int. appear_twice a v2 (n+2) /\ v2 <> v1 }
let deja_vu = make n False in
let v1 = ref (-1) in
let v2 = ref (-1) in
for i = 0 to n+1 do
invariant {
(!v1 = -1 -> !v2 = -1) /\
(!v1 <> -1 -> appear_twice a !v1 i) /\
(!v2 <> -1 -> appear_twice a !v2 i /\ !v2 <> !v1) /\
(forall v: int. 0 <= v < n ->
if deja_vu[v]=True then exists j: int. 0 <= j < i /\ a[j] = v
else forall j: int. 0 <= j < i -> a[j] <> v) /\
(!v1 = -1 -> forall v: int. 0 <= v < n -> not (appear_twice a v i)) /\
(!v2 = -1 -> forall v: int. 0 <= v < n -> v <> !v1 ->
not (appear_twice a v i))
}
let v = a[i] in
if deja_vu[v] then begin
if !v1 = -1 then v1 := v
else if !v2 = -1 && v <> !v1 then v2 := v
end else
deja_vu[v] <- True
done;
(!v1, !v2)
{ let (v1, v2) = result in
appear_twice a v1 (n+2) /\ appear_twice a v2 (n+2) /\ v1 <> v2 }
end
(*
Local Variables:
compile-command: "unset LANG; make -C ../.. examples/programs/foveoos11_challenge3.gui"
End:
*)
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Definition unit := unit.
Parameter qtmark : Type.
Parameter at1: forall (a:Type), a -> qtmark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
Definition contents (a:Type)(u:(ref a)): a :=
match u with
| (mk_ref contents1) => contents1
end.
Implicit Arguments contents.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const(
b1):(map a b)) a1) = b1).
Inductive array (a:Type) :=
| mk_array : Z -> (map Z a) -> array a.
Implicit Arguments mk_array.
Definition elts (a:Type)(u:(array a)): (map Z a) :=
match u with
| (mk_array _ elts1) => elts1
end.
Implicit Arguments elts.
Definition length (a:Type)(u:(array a)): Z :=
match u with
| (mk_array length1 _) => length1
end.
Implicit Arguments length.