mergesort_queue.mlw 2.18 KB
Newer Older
Jean-Christophe's avatar
Jean-Christophe committed
1

2 3 4 5
(** {1 Sorting a queue using mergesort}

    Author: Jean-Christophe Filliâtre (CNRS) *)

Jean-Christophe's avatar
Jean-Christophe committed
6 7 8
module MergesortQueue

  use import int.Int
9
  use import list.List
10
  use import list.Mem
Jean-Christophe's avatar
Jean-Christophe committed
11 12 13
  use import list.Length
  use import list.Append
  use import list.Permut
14
  use import queue.Queue
Jean-Christophe's avatar
Jean-Christophe committed
15 16 17

  type elt
  predicate le elt elt
18
  clone relations.TotalPreOrder with type t = elt, predicate rel = le
19 20
  clone export list.Sorted      with type t = elt, predicate le  = le,
  goal Transitive.Trans
Jean-Christophe's avatar
Jean-Christophe committed
21

22
  let merge (q1: t elt) (q2: t elt) (q: t elt)
23 24 25
    requires { q.elts = Nil /\ sorted q1.elts /\ sorted q2.elts }
    ensures  { sorted q.elts }
    ensures  { permut q.elts (old q1.elts ++ old q2.elts) }
26
  = while length q1 > 0 || length q2 > 0 do
27 28 29
      invariant { sorted q1.elts /\ sorted q2.elts /\ sorted q.elts }
      invariant { forall x y: elt. mem x q.elts -> mem y q1.elts -> le x y }
      invariant { forall x y: elt. mem x q.elts -> mem y q2.elts -> le x y }
Jean-Christophe's avatar
Jean-Christophe committed
30
      invariant { permut (q.elts ++ q1.elts ++ q2.elts)
31
                         (old (q1.elts ++ q2.elts)) }
32
      variant { length q1 + length q2 }
Jean-Christophe's avatar
Jean-Christophe committed
33
      if length q1 = 0 then
34
        push (safe_pop q2) q
Jean-Christophe's avatar
Jean-Christophe committed
35
      else if length q2 = 0 then
36
        push (safe_pop q1) q
Jean-Christophe's avatar
Jean-Christophe committed
37
      else
38 39 40 41 42 43
        let x1 = safe_peek q1 in
        let x2 = safe_peek q2 in
        if le x1 x2 then
          push (safe_pop q1) q
        else
          push (safe_pop q2) q
Jean-Christophe's avatar
Jean-Christophe committed
44 45
    done

46 47 48
  let rec mergesort (q: t elt) : unit
    ensures { sorted q.elts /\ permut q.elts (old q.elts) }
    variant { length q }
49
  = if length q > 1 then begin
Jean-Christophe's avatar
Jean-Christophe committed
50 51 52
      let q1 = create () : t elt in
      let q2 = create () : t elt in
      while not (is_empty q) do
53
        invariant { permut (q1.elts ++ q2.elts ++ q.elts) (old q.elts) }
54 55 56 57 58
        invariant { length q1 = length q2 \/
                    length q = 0 /\ length q1 = length q2 +1 }
        variant   { length q }
        let x = safe_pop q in push x q1;
        if not (is_empty q) then let x = safe_pop q in push x q2
Jean-Christophe's avatar
Jean-Christophe committed
59 60
      done;
      assert { q.elts = Nil };
61
      assert { permut (q1.elts ++ q2.elts) (old q.elts) };
Jean-Christophe's avatar
Jean-Christophe committed
62 63 64
      mergesort q1;
      mergesort q2;
      merge q1 q2 q
65 66
    end else
      assert { q.elts = Nil \/ exists x: elt. q.elts = Cons x Nil }
Jean-Christophe's avatar
Jean-Christophe committed
67 68

end