summaryrefslogtreecommitdiff
path: root/Test/dafny3/Dijkstra.dfy
blob: e90687e07b4fb0c54f88a7d8f6b94a12681d0fbe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
// RUN: %dafny /compile:0 /dprint:"%t.dprint" "%s" > "%t"
// RUN: %diff "%s.expect" "%t"

// Example taken from:
// Edsger W. Dijkstra: Heuristics for a Calculational Proof. Inf. Process. Lett. (IPL) 53(3):141-143 (1995)
// Transcribed into Dafny by Valentin Wüstholz and Nadia Polikarpova.

// f is an arbitrary function on the natural numbers
function f(n: nat) : nat

// Predicate P() says that f satisfies a peculiar property
predicate P()
{
  forall m: nat :: f(f(m)) < f(m + 1)
}

// The following theorem says that if f satisfies the peculiar property,
// then f is the identity function.  The body of the method, and the methods
// that follow, give the proof.
ghost method theorem()
  requires P();
  ensures forall n: nat :: f(n) == n;
{
  forall (n: nat) {
    calc {
      f(n);
    ==  { lemma_ping(n, n); lemma_pong(n); }
      n;
    }
  }
}

// Aiming at n <= f(n), but strengthening it for induction
ghost method lemma_ping(j: nat, n: nat)
  requires P();
  ensures j <= n ==> j <= f(n);
{
  // The case for j == 0 is trivial
  if 0 < j {
    calc {
      j <= f(n);
    ==
      j - 1 < f(n);
    <== // P with m := n - 1
      j - 1 <= f(f(n - 1)) && 1 <= n;
    <== { lemma_ping(j - 1, f(n - 1)); }
      j - 1 <= f(n - 1) && 1 <= n;
    <== { lemma_ping(j - 1, n - 1); }
      j - 1 <= n - 1 && 1 <= n;
    == // 0 < j
      j <= n;
    }
  }
}

// The other directorion: f(n) <= n
ghost method lemma_pong(n: nat)
  requires P();
  ensures f(n) <= n;
{
  calc {
    f(n) <= n;
  ==
    f(n) < n + 1;
  <==  { lemma_monotonicity_0(n + 1, f(n)); }
    f(f(n)) < f(n + 1);
  ==  // P with m := n
    true;        
  }
}

ghost method lemma_monotonicity_0(a: nat, b: nat)
  requires P();
  ensures a <= b ==> f(a) <= f(b);  // or, equivalently:  f(b) < f(a) ==> b < a
  decreases b - a;
{
  // The case for a == b is trivial
  if (a < b) {
    calc {
      f(a);
    <=  { lemma_monotonicity_1(a); }
      f(a + 1);
    <=  { lemma_monotonicity_0(a + 1, b); }
      f(b);
    }
  }
}

ghost method lemma_monotonicity_1(n: nat)
  requires P();
  ensures f(n) <= f(n + 1);
{
  calc {
    f(n);
  <=  { lemma_ping(f(n), f(n)); }
    f(f(n));
  <=  // (0)
    f(n + 1);
  }
}