(** Random Access Lists. (Okasaki, "Purely Functional Data Structures", 10.1.2.) The code below uses polymorphic recursion (both in the logic and in the programs). Author: Jean-Christophe FilliĆ¢tre (CNRS) *) module RandomAccessList use import int.Int use import int.ComputerDivision use import list.List use import list.Length use import list.Nth use import option.Option type ral 'a = | Empty | Zero (ral ('a, 'a)) | One 'a (ral ('a, 'a)) function flatten (l: list ('a, 'a)) : list 'a = match l with | Nil -> Nil | Cons (x, y) l1 -> Cons x (Cons y (flatten l1)) end let rec lemma length_flatten (l:list ('a, 'a)) ensures { length (flatten l) = 2 * length l } variant { l } = match l with | Cons (_,_) q -> length_flatten q | Nil -> () end function elements (l: ral 'a) : list 'a = match l with | Empty -> Nil | Zero l1 -> flatten (elements l1) | One x l1 -> Cons x (flatten (elements l1)) end let rec size (l: ral 'a) : int variant { l } ensures { result = length (elements l) } = match l with | Empty -> 0 | Zero l1 -> 2 * size l1 | One _ l1 -> 1 + 2 * size l1 end let rec add (x: 'a) (l: ral 'a) : ral 'a variant { l } ensures { elements result = Cons x (elements l) } = match l with | Empty -> One x Empty | Zero l1 -> One x l1 | One y l1 -> Zero (add (x, y) l1) end let rec lemma nth_flatten (i: int) (l: list ('a, 'a)) requires { 0 <= i < length l } variant { l } ensures { match nth i l with | None -> false | Some (x0, x1) -> Some x0 = nth (2 * i) (flatten l) /\ Some x1 = nth (2 * i + 1) (flatten l) end } = match l with | Nil -> () | Cons _ r -> if i > 0 then nth_flatten (i-1) r end let rec get (i: int) (l: ral 'a) : 'a requires { 0 <= i < length (elements l) } variant { i, l } ensures { nth i (elements l) = Some result } = match l with | Empty -> absurd | One x l1 -> if i = 0 then x else get (i-1) (Zero l1) | Zero l1 -> let (x0, x1) = get (div i 2) l1 in if mod i 2 = 0 then x0 else x1 end end (** A straightforward encapsulation with a list ghost model (in anticipation of module refinement) *) module RAL use import int.Int use import RandomAccessList as R use import list.List use import list.Length use import option.Option use import list.Nth type t 'a = { r: ral 'a; ghost l: list 'a } invariant { self.l = elements self.r } let empty () : t 'a ensures { result.l = Nil } = { r = Empty; l = Nil } let size (t: t 'a) : int ensures { result = length t.l } = size t.r let cons (x: 'a) (s: t 'a) : t 'a ensures { result.l = Cons x s.l } = { r = add x s.r; l = Cons x s.l } let get (i: int) (s: t 'a) : 'a requires { 0 <= i < length s.l } ensures { Some result = nth i s.l } = get i s.r end module RandomAccessListWithSeq use import int.Int use import int.ComputerDivision use import seq.Seq type ral 'a = | Empty | Zero (ral ('a, 'a)) | One 'a (ral ('a, 'a)) function flatten (s: seq ('a, 'a)) : seq 'a = create (2 * length s) (\ i: int. let (x0, x1) = s[div i 2] in if mod i 2 = 0 then x0 else x1) function elements (l: ral 'a) : seq 'a = match l with | Empty -> empty | Zero l1 -> flatten (elements l1) | One x l1 -> cons x (flatten (elements l1)) end let rec size (l: ral 'a) : int variant { l } ensures { result = length (elements l) } = match l with | Empty -> 0 | Zero l1 -> 2 * size l1 | One _ l1 -> 1 + 2 * size l1 end let rec add (x: 'a) (l: ral 'a) : ral 'a variant { l } ensures { elements result == cons x (elements l) } = match l with | Empty -> One x Empty | Zero l1 -> One x l1 | One y l1 -> Zero (add (x, y) l1) end let rec get (i: int) (l: ral 'a) : 'a requires { 0 <= i < length (elements l) } variant { i, l } ensures { (elements l)[i] = result } = match l with | Empty -> absurd | One x l1 -> if i = 0 then x else get (i-1) (Zero l1) | Zero l1 -> let (x0, x1) = get (div i 2) l1 in if mod i 2 = 0 then x0 else x1 end end