VerifyThis 2017: Pair Insertion Sort
solution to VerifyThis 2017 challenge 1
Authors: Jean-Christophe Filliâtre
Topics: Array Data Structure / Sorting Algorithms
Tools: Why3
References: VerifyThis @ ETAPS 2017
see also the index (by topic, by tool, by reference, by year)
VerifyThis @ ETAPS 2017 competition Challenge 1: Pair Insertion Sort
See https://formal.iti.kit.edu/ulbrich/verifythis2017/
Author: Jean-Christophe FilliĆ¢tre (CNRS)
module Challenge1 use int.Int use ref.Refint use array.Array use array.ArrayPermut let pair_insertion_sort (a: array int) ensures { forall k l. 0 <= k <= l < length a -> a[k] <= a[l] } ensures { permut_all (old a) a } = let i = ref 0 in (* i is running index (inc by 2 every iteration)*) while !i < length a - 1 do invariant { 0 <= !i <= length a } invariant { forall k l. 0 <= k <= l < !i -> a[k] <= a[l] } invariant { permut_all (old a) a } variant { length a - !i } let x = ref a[!i] in (* let x and y hold the next to elements in A *) let y = ref a[!i + 1] in if !x < !y then (* ensure that x is not smaller than y *) begin let tmp = !x in x := !y; y := tmp end (* swap x and y *) else begin label L in assert { exchange (a at L) a[(!i-1)+1 <- !y][(!i-1)+2 <- !x] ((!i-1)+1) ((!i-1)+2) } end; let j = ref (!i - 1) in (* j is the index used to find the insertion point *) while !j >= 0 && a[!j] > !x do (* find the insertion point for x *) invariant { -1 <= !j < !i } invariant { forall k l. 0 <= k <= l <= !j -> a[k] <= a[l] } invariant { forall k l. 0 <= k <= !j -> !j+2 < l < !i+2 -> a[k] <= a[l] } invariant { forall k l. !j+2 < k <= l < !i+2 -> a[k] <= a[l] } invariant { forall l. !j+2 < l < !i+2 -> !x < a[l] } invariant { permut_all (old a) a[!j+1 <- !y][!j+2 <- !x] } variant { !j } label L in a[!j + 2] <- a[!j]; (* shift existing content by 2 *) assert { exchange (a at L)[!j+2 <- !x] a[!j <- !x] !j (!j + 2) }; assert { exchange (a at L)[!j+1 <- !y][!j+2 <- !x] a[!j+1 <- !y][!j <- !x] !j (!j + 2) }; assert { exchange (a at L)[!j+1 <- !y][!j+2 <- a[!j]][!j <- !x] a[!j <- !y][!j+1 <- !x][!j+2 <- a[!j]] !j (!j + 1) }; j := !j - 1 done; a[!j + 2] <- !x; (* store x at its insertion place *) (* A[j+1] is an available space now *) while !j >= 0 && a[!j] > !y do (* #ind the insertion point for y *) invariant { -1 <= !j < !i } invariant { forall k l. 0 <= k <= l <= !j -> a[k] <= a[l] } invariant { forall k l. 0 <= k <= !j -> !j+1 < l < !i+2 -> a[k] <= a[l] } invariant { forall k l. !j+1 < k <= l < !i+2 -> a[k] <= a[l] } invariant { forall l. !j+1 < l < !i+2 -> !y <= a[l] } invariant { permut_all (old a) a[!j+1 <- !y] } variant { !j } label L in a[!j + 1] <- a[!j]; (* shift existing content by 1 *) assert { exchange (a at L)[!j+1 <- !y] a[!j <- !y] !j (!j + 1) }; j := !j - 1 done; a[!j + 1] <- !y; (* store y at its insertion place *) i := !i + 2 done; if !i = length a - 1 then begin (* if length(A) is odd, an extra *) let y = a[!i] in (* single insertion is needed for *) let j = ref (!i - 1) in (* the last element *) while !j >= 0 && a[!j] > y do invariant { -1 <= !j < !i } invariant { forall k l. 0 <= k <= l <= !j -> a[k] <= a[l] } invariant { forall k l. 0 <= k <= !j -> !j+1 < l < length a -> a[k] <= a[l] } invariant { forall k l. !j+1 < k <= l < length a -> a[k] <= a[l] } invariant { forall l. !j+1 < l < length a -> y < a[l] } invariant { permut_all (old a) a[!j+1 <- y] } variant { !j } label L in a[!j+1] <- a[!j]; assert { exchange (a at L)[!j+1 <- y] a[!j <- y] !j (!j + 1) }; j := !j - 1 done; a[!j + 1] <- y end end
download ZIP archive
Why3 Proof Results for Project "verifythis_2017_pair_insertion_sort"
Theory "verifythis_2017_pair_insertion_sort.Challenge1": fully verified
| Obligations | Alt-Ergo 2.1.0 | CVC3 2.4.1 | CVC4 1.5 | Z3 4.12.2 | |
| VC for pair_insertion_sort | --- | --- | --- | --- | |
| split_goal_right | |||||
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.01 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.01 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.15 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| assertion | 0.01 | --- | --- | --- | |
| assertion | 0.05 | --- | --- | --- | |
| assertion | 0.10 | --- | --- | --- | |
| loop variant decrease | 0.00 | --- | --- | --- | |
| loop invariant preservation | 0.00 | --- | --- | --- | |
| loop invariant preservation | 0.07 | --- | --- | --- | |
| loop invariant preservation | 0.16 | --- | --- | --- | |
| loop invariant preservation | 0.24 | --- | --- | --- | |
| loop invariant preservation | 0.02 | --- | --- | --- | |
| loop invariant preservation | --- | 0.10 | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| loop invariant init | 0.01 | --- | --- | --- | |
| loop invariant init | 0.03 | --- | --- | --- | |
| loop invariant init | 0.04 | --- | --- | --- | |
| loop invariant init | 0.08 | --- | --- | --- | |
| loop invariant init | 0.01 | --- | --- | --- | |
| loop invariant init | 3.34 | --- | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| assertion | 0.02 | --- | --- | --- | |
| loop variant decrease | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.05 | --- | --- | --- | |
| loop invariant preservation | 0.08 | --- | --- | --- | |
| loop invariant preservation | 0.14 | --- | --- | --- | |
| loop invariant preservation | 0.02 | --- | --- | --- | |
| loop invariant preservation | --- | --- | 0.09 | 0.02 | |
| index in array bounds | 0.01 | --- | --- | --- | |
| loop variant decrease | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.33 | --- | --- | --- | |
| loop invariant preservation | 0.02 | --- | --- | --- | |
| assertion | 0.02 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.01 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.02 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| assertion | 0.01 | --- | --- | --- | |
| assertion | 0.04 | --- | --- | --- | |
| assertion | 0.13 | --- | --- | --- | |
| loop variant decrease | 0.00 | --- | --- | --- | |
| loop invariant preservation | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.08 | --- | --- | --- | |
| loop invariant preservation | 0.28 | --- | --- | --- | |
| loop invariant preservation | 0.32 | --- | --- | --- | |
| loop invariant preservation | 0.12 | --- | --- | --- | |
| loop invariant preservation | --- | 0.11 | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.04 | --- | --- | --- | |
| loop invariant init | 0.02 | --- | --- | --- | |
| loop invariant init | 0.20 | --- | --- | --- | |
| loop invariant init | 0.02 | --- | --- | --- | |
| loop invariant init | 4.52 | --- | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| assertion | 0.02 | --- | --- | --- | |
| loop variant decrease | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.16 | --- | --- | --- | |
| loop invariant preservation | 0.10 | --- | --- | --- | |
| loop invariant preservation | 0.16 | --- | --- | --- | |
| loop invariant preservation | 0.04 | --- | --- | --- | |
| loop invariant preservation | 0.05 | --- | --- | --- | |
| index in array bounds | 0.01 | --- | --- | --- | |
| loop variant decrease | 0.00 | --- | --- | --- | |
| loop invariant preservation | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.43 | --- | --- | --- | |
| loop invariant preservation | 0.02 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.00 | --- | --- | --- | |
| loop invariant init | 0.17 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| assertion | 0.01 | --- | --- | --- | |
| loop variant decrease | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.00 | --- | --- | --- | |
| loop invariant preservation | 0.05 | --- | --- | --- | |
| loop invariant preservation | 0.06 | --- | --- | --- | |
| loop invariant preservation | 0.10 | --- | --- | --- | |
| loop invariant preservation | 0.01 | --- | --- | --- | |
| loop invariant preservation | 0.03 | --- | --- | --- | |
| index in array bounds | 0.00 | --- | --- | --- | |
| postcondition | 0.07 | --- | --- | --- | |
| postcondition | 0.01 | --- | --- | --- | |
| postcondition | 0.00 | --- | --- | --- | |
| postcondition | 0.01 | --- | --- | --- | |