From 286214f0a8c6ebca94bc5983607806a4df5fd074 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 29 Mar 2022 15:27:08 +0200 Subject: [PATCH 01/14] add rewritten code --- .../verifying_tim_sort/Cargo.lock | 7 + .../verifying_tim_sort/Cargo.toml | 8 + .../verifying_tim_sort/src/main.rs | 179 ++++++++++ .../verifying_tim_sort/src/original_code.rs | 321 ++++++++++++++++++ .../src/pure_code_without_comments.rs | 229 +++++++++++++ .../verifying_tim_sort/src/rewritten_code.rs | 179 ++++++++++ .../cargo_verify/verifying_tim_sort/src/temp | 57 ++++ 7 files changed, 980 insertions(+) create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/original_code.rs create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/pure_code_without_comments.rs create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock new file mode 100644 index 00000000000..96201446251 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock @@ -0,0 +1,7 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "verifying_tim_sort" +version = "0.1.0" diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml new file mode 100644 index 00000000000..9418ae949eb --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml @@ -0,0 +1,8 @@ +[package] +name = "verifying_tim_sort" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs new file mode 100644 index 00000000000..fd05f4bb391 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -0,0 +1,179 @@ +use std::vec::Vec; + +pub fn main() { + let mut x = [-5, -4, -3, 1, 5151, 70, 5, 155, -65848, 151, 454, 8811, 5]; + merge_sort(&mut x); + println!("{:?}", x); +} + +fn insert_head(v: &mut [i32]) { + if v.len() >= 2 && (v[1] < v[0]) { + let tmp = v[0]; + v[0] = v[1]; + let mut i = 2; + while i < v.len() { + if !(v[i] < tmp) { + break; + } + v[i - 1] = v[i]; + i += 1; + } + v[i - 1] = tmp; + } +} + +fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { + let len = v.len(); + + if mid <= len - mid { + let mut i = 0; + while i < mid { + buf[i] = v[i]; + i += 1; + } + + let mut left = 0; + let mut right = mid; + let mut out = 0; + + while left < mid && right < len { + if v[right] < v[left] { + v[out] = v[right]; + right += 1; + } else { + v[out] = buf[left]; + left += 1; + } + out += 1; + } + + while left < mid { + v[out] = buf[left]; + out += 1; + left += 1; + } + + } else { + let mut i = mid; + while i < len { + buf[i - mid] = v[i]; + i += 1; + } + + let mut left = mid; + let mut right = len - mid; + let mut out = len; + + while v[0] < v[left] && buf[0] < buf[right] { + out -= 1; + if buf[right - 1] < v[left - 1] { + left -= 1; + v[out] = v[left]; + } else { + right -= 1; + v[out] = buf[right]; + } + } + + let mut i = 0; + while i < right { + v[left] = buf[i]; + i += 1; + left += 1; + } + } +} + +#[derive(Clone, Copy, Debug)] +struct Run { + start: usize, + len: usize, +} + +fn collapse(runs: &[Run]) -> usize { + let n = runs.len(); + if n >= 2 + && (runs[n - 1].start == 0 + || runs[n - 2].len <= runs[n - 1].len + || (n >= 3 && runs[n - 3].len <= runs[n - 2].len + runs[n - 1].len) + || (n >= 4 && runs[n - 4].len <= runs[n - 3].len + runs[n - 2].len)) + { + if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } + } else { + -1 + } +} + +fn merge_sort(v: &mut [i32]) { + const MAX_INSERTION: usize = 5; + const MIN_RUN: usize = 10; + + if v.len() == 0 { + return; + } + + let len = v.len(); + + if len <= MAX_INSERTION { + if len >= 2 { + let mut i = len - 2; + while true { + insert_head(&mut v[i..]); + if i == 0 { + break; + } else { + i -= 1; + } + } + } + return; + } + + let mut buf = Vec::with_capacity(len / 2); + + let mut runs = vec![]; + let mut end = len; + while end > 0 { + let mut start = end - 1; + if start > 0 { + start -= 1; + if v.get(start + 1) < v.get(start) { + while start > 0 && v.get(start) < v.get(start - 1) { + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 && !(v.get(start) < v.get(start - 1)) + { + start -= 1; + } + } + } + + while start > 0 && end - start < MIN_RUN { + start -= 1; + insert_head(&mut v[start..end]); + } + + runs.push(Run { start, len: end - start }); + end = start; + + while true { + let r = collapse(&runs); + if r == 0 { + break; + } + let left = runs[r + 1]; + let right = runs[r]; + merge( + &mut v[left.start..right.start + right.len], + left.len, + &mut buf, + ); + runs[r] = Run { start: left.start, len: left.len + right.len }; + runs.remove(r + 1); + } + } + + //debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); +} \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/original_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/original_code.rs new file mode 100644 index 00000000000..7ed5b1eaa13 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/original_code.rs @@ -0,0 +1,321 @@ +// Many of the usings in this module are only used in the test configuration. +// It's cleaner to just turn off the unused_imports warning than to fix them. +#![cfg_attr(test, allow(unused_imports, dead_code))] + +use std::borrow::{Borrow, BorrowMut}; +#[cfg(not(no_global_oom_handling))] +use std::cmp::Ordering::{self, Less}; +#[cfg(not(no_global_oom_handling))] +use std::mem; +#[cfg(not(no_global_oom_handling))] +use std::mem::size_of; +#[cfg(not(no_global_oom_handling))] +use std::ptr; + +use std::borrow::ToOwned; +use std::boxed::Box; +use std::vec::Vec; + +pub fn main() { + +} + +#[cfg(not(no_global_oom_handling))] +fn insert_head(v: &mut [T], is_less: &mut F) +where + F: FnMut(&T, &T) -> bool, +{ + if v.len() >= 2 && is_less(&v[1], &v[0]) { + unsafe { + // There are three ways to implement insertion here: + // + // 1. Swap adjacent elements until the first one gets to its final destination. + // However, this way we copy data around more than is necessary. If elements are big + // structures (costly to copy), this method will be slow. + // + // 2. Iterate until the right place for the first element is found. Then shift the + // elements succeeding it to make room for it and finally place it into the + // remaining hole. This is a good method. + // + // 3. Copy the first element into a temporary variable. Iterate until the right place + // for it is found. As we go along, copy every traversed element into the slot + // preceding it. Finally, copy data from the temporary variable into the remaining + // hole. This method is very good. Benchmarks demonstrated slightly better + // performance than with the 2nd method. + // + // All methods were benchmarked, and the 3rd showed best results. So we chose that one. + let mut tmp = mem::ManuallyDrop::new(ptr::read(&v[0])); + + // Intermediate state of the insertion process is always tracked by `hole`, which + // serves two purposes: + // 1. Protects integrity of `v` from panics in `is_less`. + // 2. Fills the remaining hole in `v` in the end. + // + // Panic safety: + // + // If `is_less` panics at any point during the process, `hole` will get dropped and + // fill the hole in `v` with `tmp`, thus ensuring that `v` still holds every object it + // initially held exactly once. + let mut hole = InsertionHole { src: &mut *tmp, dest: &mut v[1] }; + ptr::copy_nonoverlapping(&v[1], &mut v[0], 1); + + for i in 2..v.len() { + if !is_less(&v[i], &*tmp) { + break; + } + ptr::copy_nonoverlapping(&v[i], &mut v[i - 1], 1); + hole.dest = &mut v[i]; + } + // `hole` gets dropped and thus copies `tmp` into the remaining hole in `v`. + } + } + + // When dropped, copies from `src` into `dest`. + struct InsertionHole { + src: *mut T, + dest: *mut T, + } + + impl Drop for InsertionHole { + fn drop(&mut self) { + unsafe { + ptr::copy_nonoverlapping(self.src, self.dest, 1); + } + } + } +} + +#[cfg(not(no_global_oom_handling))] +unsafe fn merge(v: &mut [T], mid: usize, buf: *mut T, is_less: &mut F) +where + F: FnMut(&T, &T) -> bool, +{ + let len = v.len(); + let v = v.as_mut_ptr(); + let (v_mid, v_end) = unsafe { (v.add(mid), v.add(len)) }; + + // The merge process first copies the shorter run into `buf`. Then it traces the newly copied + // run and the longer run forwards (or backwards), comparing their next unconsumed elements and + // copying the lesser (or greater) one into `v`. + // + // As soon as the shorter run is fully consumed, the process is done. If the longer run gets + // consumed first, then we must copy whatever is left of the shorter run into the remaining + // hole in `v`. + // + // Intermediate state of the process is always tracked by `hole`, which serves two purposes: + // 1. Protects integrity of `v` from panics in `is_less`. + // 2. Fills the remaining hole in `v` if the longer run gets consumed first. + // + // Panic safety: + // + // If `is_less` panics at any point during the process, `hole` will get dropped and fill the + // hole in `v` with the unconsumed range in `buf`, thus ensuring that `v` still holds every + // object it initially held exactly once. + let mut hole; + + if mid <= len - mid { + // The left run is shorter. + unsafe { + ptr::copy_nonoverlapping(v, buf, mid); + hole = MergeHole { start: buf, end: buf.add(mid), dest: v }; + } + + // Initially, these pointers point to the beginnings of their arrays. + let left = &mut hole.start; + let mut right = v_mid; + let out = &mut hole.dest; + + while *left < hole.end && right < v_end { + // Consume the lesser side. + // If equal, prefer the left run to maintain stability. + unsafe { + let to_copy = if is_less(&*right, &**left) { + get_and_increment(&mut right) + } else { + get_and_increment(left) + }; + ptr::copy_nonoverlapping(to_copy, get_and_increment(out), 1); + } + } + } else { + // The right run is shorter. + unsafe { + ptr::copy_nonoverlapping(v_mid, buf, len - mid); + hole = MergeHole { start: buf, end: buf.add(len - mid), dest: v_mid }; + } + + // Initially, these pointers point past the ends of their arrays. + let left = &mut hole.dest; + let right = &mut hole.end; + let mut out = v_end; + + while v < *left && buf < *right { + // Consume the greater side. + // If equal, prefer the right run to maintain stability. + unsafe { + let to_copy = if is_less(&*right.offset(-1), &*left.offset(-1)) { + decrement_and_get(left) + } else { + decrement_and_get(right) + }; + ptr::copy_nonoverlapping(to_copy, decrement_and_get(&mut out), 1); + } + } + } + // Finally, `hole` gets dropped. If the shorter run was not fully consumed, whatever remains of + // it will now be copied into the hole in `v`. + + unsafe fn get_and_increment(ptr: &mut *mut T) -> *mut T { + let old = *ptr; + *ptr = unsafe { ptr.offset(1) }; + old + } + + unsafe fn decrement_and_get(ptr: &mut *mut T) -> *mut T { + *ptr = unsafe { ptr.offset(-1) }; + *ptr + } + + // When dropped, copies the range `start..end` into `dest..`. + struct MergeHole { + start: *mut T, + end: *mut T, + dest: *mut T, + } + + impl Drop for MergeHole { + fn drop(&mut self) { + // `T` is not a zero-sized type, so it's okay to divide by its size. + let len = (self.end as usize - self.start as usize) / mem::size_of::(); + unsafe { + ptr::copy_nonoverlapping(self.start, self.dest, len); + } + } + } +} + +#[cfg(not(no_global_oom_handling))] +fn merge_sort(v: &mut [T], mut is_less: F) +where + F: FnMut(&T, &T) -> bool, +{ + // Slices of up to this length get sorted using insertion sort. + const MAX_INSERTION: usize = 20; + // Very short runs are extended using insertion sort to span at least this many elements. + const MIN_RUN: usize = 10; + + // Sorting has no meaningful behavior on zero-sized types. + if size_of::() == 0 { + return; + } + + let len = v.len(); + + // Short arrays get sorted in-place via insertion sort to avoid allocations. + if len <= MAX_INSERTION { + if len >= 2 { + for i in (0..len - 1).rev() { + insert_head(&mut v[i..], &mut is_less); + } + } + return; + } + + // Allocate a buffer to use as scratch memory. We keep the length 0 so we can keep in it + // shallow copies of the contents of `v` without risking the dtors running on copies if + // `is_less` panics. When merging two sorted runs, this buffer holds a copy of the shorter run, + // which will always have length at most `len / 2`. + let mut buf = Vec::with_capacity(len / 2); + + // In order to identify natural runs in `v`, we traverse it backwards. That might seem like a + // strange decision, but consider the fact that merges more often go in the opposite direction + // (forwards). According to benchmarks, merging forwards is slightly faster than merging + // backwards. To conclude, identifying runs by traversing backwards improves performance. + let mut runs = vec![]; + let mut end = len; + while end > 0 { + // Find the next natural run, and reverse it if it's strictly descending. + let mut start = end - 1; + if start > 0 { + start -= 1; + unsafe { + if is_less(v.get_unchecked(start + 1), v.get_unchecked(start)) { + while start > 0 && is_less(v.get_unchecked(start), v.get_unchecked(start - 1)) { + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 && !is_less(v.get_unchecked(start), v.get_unchecked(start - 1)) + { + start -= 1; + } + } + } + } + + // Insert some more elements into the run if it's too short. Insertion sort is faster than + // merge sort on short sequences, so this significantly improves performance. + while start > 0 && end - start < MIN_RUN { + start -= 1; + insert_head(&mut v[start..end], &mut is_less); + } + + // Push this run onto the stack. + runs.push(Run { start, len: end - start }); + end = start; + + // Merge some pairs of adjacent runs to satisfy the invariants. + while let Some(r) = collapse(&runs) { + let left = runs[r + 1]; + let right = runs[r]; + unsafe { + merge( + &mut v[left.start..right.start + right.len], + left.len, + buf.as_mut_ptr(), + &mut is_less, + ); + } + runs[r] = Run { start: left.start, len: left.len + right.len }; + runs.remove(r + 1); + } + } + + // Finally, exactly one run must remain in the stack. + debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); + + // Examines the stack of runs and identifies the next pair of runs to merge. More specifically, + // if `Some(r)` is returned, that means `runs[r]` and `runs[r + 1]` must be merged next. If the + // algorithm should continue building a new run instead, `None` is returned. + // + // TimSort is infamous for its buggy implementations, as described here: + // http://envisage-project.eu/timsort-specification-and-verification/ + // + // The gist of the story is: we must enforce the invariants on the top four runs on the stack. + // Enforcing them on just top three is not sufficient to ensure that the invariants will still + // hold for *all* runs in the stack. + // + // This function correctly checks invariants for the top four runs. Additionally, if the top + // run starts at index 0, it will always demand a merge operation until the stack is fully + // collapsed, in order to complete the sort. + #[inline] + fn collapse(runs: &[Run]) -> Option { + let n = runs.len(); + if n >= 2 + && (runs[n - 1].start == 0 + || runs[n - 2].len <= runs[n - 1].len + || (n >= 3 && runs[n - 3].len <= runs[n - 2].len + runs[n - 1].len) + || (n >= 4 && runs[n - 4].len <= runs[n - 3].len + runs[n - 2].len)) + { + if n >= 3 && runs[n - 3].len < runs[n - 1].len { Some(n - 3) } else { Some(n - 2) } + } else { + None + } + } + + #[derive(Clone, Copy)] + struct Run { + start: usize, + len: usize, + } +} \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/pure_code_without_comments.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/pure_code_without_comments.rs new file mode 100644 index 00000000000..f5007e705d2 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/pure_code_without_comments.rs @@ -0,0 +1,229 @@ +#![cfg_attr(test, allow(unused_imports, dead_code))] +use std::borrow::{Borrow, BorrowMut}; +#[cfg(not(no_global_oom_handling))] +use std::cmp::Ordering::{self, Less}; +#[cfg(not(no_global_oom_handling))] +use std::mem; +#[cfg(not(no_global_oom_handling))] +use std::mem::size_of; +#[cfg(not(no_global_oom_handling))] +use std::ptr; + +use std::borrow::ToOwned; +use std::boxed::Box; +use std::vec::Vec; + +pub fn main() { + +} + +#[cfg(not(no_global_oom_handling))] +fn insert_head(v: &mut [T], is_less: &mut F) +where + F: FnMut(&T, &T) -> bool, +{ + if v.len() >= 2 && is_less(&v[1], &v[0]) { + unsafe { + let mut tmp = mem::ManuallyDrop::new(ptr::read(&v[0])); + + let mut hole = InsertionHole { src: &mut *tmp, dest: &mut v[1] }; + ptr::copy_nonoverlapping(&v[1], &mut v[0], 1); + + for i in 2..v.len() { + if !is_less(&v[i], &*tmp) { + break; + } + ptr::copy_nonoverlapping(&v[i], &mut v[i - 1], 1); + hole.dest = &mut v[i]; + } + } + } + + struct InsertionHole { + src: *mut T, + dest: *mut T, + } + + impl Drop for InsertionHole { + fn drop(&mut self) { + unsafe { + ptr::copy_nonoverlapping(self.src, self.dest, 1); + } + } + } +} + +#[cfg(not(no_global_oom_handling))] +unsafe fn merge(v: &mut [T], mid: usize, buf: *mut T, is_less: &mut F) +where + F: FnMut(&T, &T) -> bool, +{ + let len = v.len(); + let v = v.as_mut_ptr(); + let (v_mid, v_end) = unsafe { (v.add(mid), v.add(len)) }; + + let mut hole; + + if mid <= len - mid { + unsafe { + ptr::copy_nonoverlapping(v, buf, mid); + hole = MergeHole { start: buf, end: buf.add(mid), dest: v }; + } + + let left = &mut hole.start; + let mut right = v_mid; + let out = &mut hole.dest; + + while *left < hole.end && right < v_end { + unsafe { + let to_copy = if is_less(&*right, &**left) { + get_and_increment(&mut right) + } else { + get_and_increment(left) + }; + ptr::copy_nonoverlapping(to_copy, get_and_increment(out), 1); + } + } + } else { + unsafe { + ptr::copy_nonoverlapping(v_mid, buf, len - mid); + hole = MergeHole { start: buf, end: buf.add(len - mid), dest: v_mid }; + } + + let left = &mut hole.dest; + let right = &mut hole.end; + let mut out = v_end; + + while v < *left && buf < *right { + unsafe { + let to_copy = if is_less(&*right.offset(-1), &*left.offset(-1)) { + decrement_and_get(left) + } else { + decrement_and_get(right) + }; + ptr::copy_nonoverlapping(to_copy, decrement_and_get(&mut out), 1); + } + } + } + + unsafe fn get_and_increment(ptr: &mut *mut T) -> *mut T { + let old = *ptr; + *ptr = unsafe { ptr.offset(1) }; + old + } + + unsafe fn decrement_and_get(ptr: &mut *mut T) -> *mut T { + *ptr = unsafe { ptr.offset(-1) }; + *ptr + } + + struct MergeHole { + start: *mut T, + end: *mut T, + dest: *mut T, + } + + impl Drop for MergeHole { + fn drop(&mut self) { + // `T` is not a zero-sized type, so it's okay to divide by its size. + let len = (self.end as usize - self.start as usize) / mem::size_of::(); + unsafe { + ptr::copy_nonoverlapping(self.start, self.dest, len); + } + } + } +} + +#[cfg(not(no_global_oom_handling))] +fn merge_sort(v: &mut [T], mut is_less: F) +where + F: FnMut(&T, &T) -> bool, +{ + const MAX_INSERTION: usize = 20; + const MIN_RUN: usize = 10; + + if size_of::() == 0 { + return; + } + + let len = v.len(); + + if len <= MAX_INSERTION { + if len >= 2 { + for i in (0..len - 1).rev() { + insert_head(&mut v[i..], &mut is_less); + } + } + return; + } + + let mut buf = Vec::with_capacity(len / 2); + + let mut runs = vec![]; + let mut end = len; + while end > 0 { + let mut start = end - 1; + if start > 0 { + start -= 1; + unsafe { + if is_less(v.get_unchecked(start + 1), v.get_unchecked(start)) { + while start > 0 && is_less(v.get_unchecked(start), v.get_unchecked(start - 1)) { + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 && !is_less(v.get_unchecked(start), v.get_unchecked(start - 1)) + { + start -= 1; + } + } + } + } + + while start > 0 && end - start < MIN_RUN { + start -= 1; + insert_head(&mut v[start..end], &mut is_less); + } + + runs.push(Run { start, len: end - start }); + end = start; + + while let Some(r) = collapse(&runs) { + let left = runs[r + 1]; + let right = runs[r]; + unsafe { + merge( + &mut v[left.start..right.start + right.len], + left.len, + buf.as_mut_ptr(), + &mut is_less, + ); + } + runs[r] = Run { start: left.start, len: left.len + right.len }; + runs.remove(r + 1); + } + } + + debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); + + #[inline] + fn collapse(runs: &[Run]) -> Option { + let n = runs.len(); + if n >= 2 + && (runs[n - 1].start == 0 + || runs[n - 2].len <= runs[n - 1].len + || (n >= 3 && runs[n - 3].len <= runs[n - 2].len + runs[n - 1].len) + || (n >= 4 && runs[n - 4].len <= runs[n - 3].len + runs[n - 2].len)) + { + if n >= 3 && runs[n - 3].len < runs[n - 1].len { Some(n - 3) } else { Some(n - 2) } + } else { + None + } + } + + #[derive(Clone, Copy)] + struct Run { + start: usize, + len: usize, + } +} \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs new file mode 100644 index 00000000000..a4c1c6fe036 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs @@ -0,0 +1,179 @@ +use std::vec::Vec; + +pub fn main() { + let mut x = [-5, -4, -3, 1, 5151, 70, 5, 155, -65848, 151, 454, 8811, 5]; + merge_sort(&mut x); + println!("{:?}", x); +} + +fn insert_head(v: &mut [i32]) { + if v.len() >= 2 && (v[1] < v[0]) { + let tmp = v[0]; + v[0] = v[1]; + let mut i = 2; + while i < v.len() { + if !(v[i] < tmp) { + break; + } + v[i - 1] = v[i]; + i += 1; + } + v[i - 1] = tmp; + } +} + +fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { + let len = v.len(); + + if mid <= len - mid { + let mut i = 0; + while i < mid { + buf[i] = v[i]; + i += 1; + } + + let mut left = 0; + let mut right = mid; + let mut out = 0; + + while left < mid && right < len { + if v[right] < v[left] { + v[out] = v[right]; + right += 1; + } else { + v[out] = buf[left]; + left += 1; + } + out += 1; + } + + while left < mid { + v[out] = buf[left]; + out += 1; + left += 1; + } + + } else { + let mut i = mid; + while i < len { + buf[i - mid] = v[i]; + i += 1; + } + + let mut left = mid; + let mut right = len - mid; + let mut out = len; + + while v[0] < v[left] && buf[0] < buf[right] { + out -= 1; + if buf[right - 1] < v[left - 1] { + left -= 1; + v[out] = v[left]; + } else { + right -= 1; + v[out] = buf[right]; + } + } + + let mut i = 0; + while i < right { + v[left] = buf[i]; + i += 1; + left += 1; + } + } +} + +#[derive(Clone, Copy, Debug)] +struct Run { + start: usize, + len: usize, +} + +fn collapse(runs: &[Run]) -> usize { + let n = runs.len(); + if n >= 2 + && (runs[n - 1].start == 0 + || runs[n - 2].len <= runs[n - 1].len + || (n >= 3 && runs[n - 3].len <= runs[n - 2].len + runs[n - 1].len) + || (n >= 4 && runs[n - 4].len <= runs[n - 3].len + runs[n - 2].len)) + { + if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } + } else { + 0 + } +} + +fn merge_sort(v: &mut [i32]) { + const MAX_INSERTION: usize = 5; + const MIN_RUN: usize = 10; + + if v.len() == 0 { + return; + } + + let len = v.len(); + + if len <= MAX_INSERTION { + if len >= 2 { + let mut i = len - 2; + while true { + insert_head(&mut v[i..]); + if i == 0 { + break; + } else { + i -= 1; + } + } + } + return; + } + + let mut buf = Vec::with_capacity(len / 2); + + let mut runs = vec![]; + let mut end = len; + while end > 0 { + let mut start = end - 1; + if start > 0 { + start -= 1; + if v.get(start + 1) < v.get(start) { + while start > 0 && v.get(start) < v.get(start - 1) { + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 && !(v.get(start) < v.get(start - 1)) + { + start -= 1; + } + } + } + + while start > 0 && end - start < MIN_RUN { + start -= 1; + insert_head(&mut v[start..end]); + } + + runs.push(Run { start, len: end - start }); + end = start; + + while true { + let r = collapse(&runs); + if r == 0 { + break; + } + let left = runs[r + 1]; + let right = runs[r]; + merge( + &mut v[left.start..right.start + right.len], + left.len, + &mut buf, + ); + runs[r] = Run { start: left.start, len: left.len + right.len }; + runs.remove(r + 1); + } + } + + //debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); +} \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp new file mode 100644 index 00000000000..2089e54d774 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp @@ -0,0 +1,57 @@ +extern crate prusti_contracts; +use prusti_contracts::*; + +pub fn main() { + +} + +fn selection_sort(mut a: [i32; 10]) { + let mut min; + let mut i = 0; + + while i < a.len() { + body_invariant!(0 <= i && i < a.len()); + + // sorted below i + body_invariant!(forall(|k1: usize, k2: usize| + (0 <= k1 && k1 < k2 && k2 < i) ==> a[k1] <= a[k2])); + // all below i are smaller than all above i + body_invariant!(forall(|k1: usize, k2: usize| + (0 <= k1 && k1 < i && i <= k2 && k2 < a.len()) + ==> a[k1] <= a[k2])); + + min = i; + let mut j = i + 1; + while j < a.len() { + // these three are the same as for the outer loop + body_invariant!(0 <= i && i < a.len()); + body_invariant!(forall(|k1: usize, k2: usize| + (0 <= k1 && k1 < k2 && k2 < i) ==> a[k1] <= a[k2])); + body_invariant!(forall(|k1: usize, k2: usize| + (0 <= k1 && k1 < i && i <= k2 && k2 < a.len()) + ==> a[k1] <= a[k2])); + + body_invariant!(i < j && j < a.len()); + body_invariant!(i <= min && min < a.len()); + // all previously sorted are smaller than the current min + body_invariant!(forall(|k: usize| + (0 <= k && k < i) ==> a[k] <= a[min])); + + // all not-yet-sorted checked so far are bigger + // than the current min + body_invariant!(forall(|k: usize| + (i <= k && k < j && k < a.len()) ==> a[min] <= a[k])); + + if a[j] < a[min] { + min = j; + } + j += 1; + } + + let a_i = a[i]; + let a_min = a[min]; + a[i] = a_min; + a[min] = a_i; + i += 1; + } +} \ No newline at end of file From c658cddc68a75f9060e3768c10b26960fd58a5cc Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 29 Mar 2022 15:32:32 +0200 Subject: [PATCH 02/14] fix compile error --- prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index fd05f4bb391..15aed2634fa 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -3,7 +3,6 @@ use std::vec::Vec; pub fn main() { let mut x = [-5, -4, -3, 1, 5151, 70, 5, 155, -65848, 151, 454, 8811, 5]; merge_sort(&mut x); - println!("{:?}", x); } fn insert_head(v: &mut [i32]) { @@ -100,7 +99,7 @@ fn collapse(runs: &[Run]) -> usize { { if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } } else { - -1 + 0 } } From 6f08fd16d7ab18614e3f6946160859008f6440cc Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 29 Mar 2022 15:35:42 +0200 Subject: [PATCH 03/14] run tests on project --- prusti-tests/tests/cargotest.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/prusti-tests/tests/cargotest.rs b/prusti-tests/tests/cargotest.rs index e7725d8a7dd..ff239b692b1 100644 --- a/prusti-tests/tests/cargotest.rs +++ b/prusti-tests/tests/cargotest.rs @@ -227,4 +227,9 @@ fn test_overflow_checks() { test_local_project("overflow_checks"); } +#[cargo_test] +fn test_timsort() { + test_local_project("verifying_tim_sort"); +} + // TODO: automatically create a test for each folder in `test/cargo_verify`. From ee0b7f40042f81503f1d6a9672ff5bb468a6db85 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Wed, 30 Mar 2022 02:01:48 +0200 Subject: [PATCH 04/14] fix some bugs, algorithm sorts correctly --- .../verifying_tim_sort/src/main.rs | 22 +++---- .../verifying_tim_sort/src/rewritten_code.rs | 23 ++++---- .../cargo_verify/verifying_tim_sort/src/temp | 57 ------------------- 3 files changed, 22 insertions(+), 80 deletions(-) delete mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 15aed2634fa..b9478d0566c 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,7 +1,7 @@ use std::vec::Vec; pub fn main() { - let mut x = [-5, -4, -3, 1, 5151, 70, 5, 155, -65848, 151, 454, 8811, 5]; + let mut x : [i32; 50] = [5; 50]; merge_sort(&mut x); } @@ -11,7 +11,7 @@ fn insert_head(v: &mut [i32]) { v[0] = v[1]; let mut i = 2; while i < v.len() { - if !(v[i] < tmp) { + if !(i < v.len() && v[i] < tmp) { break; } v[i - 1] = v[i]; @@ -27,7 +27,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { if mid <= len - mid { let mut i = 0; while i < mid { - buf[i] = v[i]; + buf.push(v[i]); i += 1; } @@ -55,7 +55,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { } else { let mut i = mid; while i < len { - buf[i - mid] = v[i]; + buf.push(v[i]); i += 1; } @@ -83,7 +83,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { } } -#[derive(Clone, Copy, Debug)] +#[derive(Clone, Copy)] struct Run { start: usize, len: usize, @@ -99,12 +99,12 @@ fn collapse(runs: &[Run]) -> usize { { if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } } else { - 0 + n } } fn merge_sort(v: &mut [i32]) { - const MAX_INSERTION: usize = 5; + const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; if v.len() == 0 { @@ -116,7 +116,7 @@ fn merge_sort(v: &mut [i32]) { if len <= MAX_INSERTION { if len >= 2 { let mut i = len - 2; - while true { + loop { insert_head(&mut v[i..]); if i == 0 { break; @@ -157,9 +157,9 @@ fn merge_sort(v: &mut [i32]) { runs.push(Run { start, len: end - start }); end = start; - while true { + loop { let r = collapse(&runs); - if r == 0 { + if r == runs.len() { break; } let left = runs[r + 1]; @@ -174,5 +174,5 @@ fn merge_sort(v: &mut [i32]) { } } - //debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); + debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); } \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs index a4c1c6fe036..b9478d0566c 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs @@ -1,9 +1,8 @@ use std::vec::Vec; pub fn main() { - let mut x = [-5, -4, -3, 1, 5151, 70, 5, 155, -65848, 151, 454, 8811, 5]; + let mut x : [i32; 50] = [5; 50]; merge_sort(&mut x); - println!("{:?}", x); } fn insert_head(v: &mut [i32]) { @@ -12,7 +11,7 @@ fn insert_head(v: &mut [i32]) { v[0] = v[1]; let mut i = 2; while i < v.len() { - if !(v[i] < tmp) { + if !(i < v.len() && v[i] < tmp) { break; } v[i - 1] = v[i]; @@ -28,7 +27,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { if mid <= len - mid { let mut i = 0; while i < mid { - buf[i] = v[i]; + buf.push(v[i]); i += 1; } @@ -56,7 +55,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { } else { let mut i = mid; while i < len { - buf[i - mid] = v[i]; + buf.push(v[i]); i += 1; } @@ -84,7 +83,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { } } -#[derive(Clone, Copy, Debug)] +#[derive(Clone, Copy)] struct Run { start: usize, len: usize, @@ -100,12 +99,12 @@ fn collapse(runs: &[Run]) -> usize { { if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } } else { - 0 + n } } fn merge_sort(v: &mut [i32]) { - const MAX_INSERTION: usize = 5; + const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; if v.len() == 0 { @@ -117,7 +116,7 @@ fn merge_sort(v: &mut [i32]) { if len <= MAX_INSERTION { if len >= 2 { let mut i = len - 2; - while true { + loop { insert_head(&mut v[i..]); if i == 0 { break; @@ -158,9 +157,9 @@ fn merge_sort(v: &mut [i32]) { runs.push(Run { start, len: end - start }); end = start; - while true { + loop { let r = collapse(&runs); - if r == 0 { + if r == runs.len() { break; } let left = runs[r + 1]; @@ -175,5 +174,5 @@ fn merge_sort(v: &mut [i32]) { } } - //debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); + debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); } \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp deleted file mode 100644 index 2089e54d774..00000000000 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/temp +++ /dev/null @@ -1,57 +0,0 @@ -extern crate prusti_contracts; -use prusti_contracts::*; - -pub fn main() { - -} - -fn selection_sort(mut a: [i32; 10]) { - let mut min; - let mut i = 0; - - while i < a.len() { - body_invariant!(0 <= i && i < a.len()); - - // sorted below i - body_invariant!(forall(|k1: usize, k2: usize| - (0 <= k1 && k1 < k2 && k2 < i) ==> a[k1] <= a[k2])); - // all below i are smaller than all above i - body_invariant!(forall(|k1: usize, k2: usize| - (0 <= k1 && k1 < i && i <= k2 && k2 < a.len()) - ==> a[k1] <= a[k2])); - - min = i; - let mut j = i + 1; - while j < a.len() { - // these three are the same as for the outer loop - body_invariant!(0 <= i && i < a.len()); - body_invariant!(forall(|k1: usize, k2: usize| - (0 <= k1 && k1 < k2 && k2 < i) ==> a[k1] <= a[k2])); - body_invariant!(forall(|k1: usize, k2: usize| - (0 <= k1 && k1 < i && i <= k2 && k2 < a.len()) - ==> a[k1] <= a[k2])); - - body_invariant!(i < j && j < a.len()); - body_invariant!(i <= min && min < a.len()); - // all previously sorted are smaller than the current min - body_invariant!(forall(|k: usize| - (0 <= k && k < i) ==> a[k] <= a[min])); - - // all not-yet-sorted checked so far are bigger - // than the current min - body_invariant!(forall(|k: usize| - (i <= k && k < j && k < a.len()) ==> a[min] <= a[k])); - - if a[j] < a[min] { - min = j; - } - j += 1; - } - - let a_i = a[i]; - let a_min = a[min]; - a[i] = a_min; - a[min] = a_i; - i += 1; - } -} \ No newline at end of file From 13fca494868d7456cbb459e0f127dac2a7a5abfe Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Fri, 1 Apr 2022 11:05:25 +0200 Subject: [PATCH 05/14] fix errors with array indices --- .../verifying_tim_sort/src/main.rs | 109 +++++++++++++++--- 1 file changed, 90 insertions(+), 19 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index b9478d0566c..5b9a0cd068c 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,3 +1,6 @@ +extern crate prusti_contracts; +use prusti_contracts::*; + use std::vec::Vec; pub fn main() { @@ -11,6 +14,7 @@ fn insert_head(v: &mut [i32]) { v[0] = v[1]; let mut i = 2; while i < v.len() { + body_invariant!(i >= 2 && i < v.len()); if !(i < v.len() && v[i] < tmp) { break; } @@ -21,12 +25,38 @@ fn insert_head(v: &mut [i32]) { } } -fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { +struct Buf{ + v: Vec, +} + +impl Buf { + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.v.len() + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn index(&self, index: usize) -> i32 { + self.v[index] + } + + #[trusted] + pub fn push(&mut self, value: i32) { + self.v.push(value); + } +} + +#[requires(mid >= 0 && mid <= v.len())] +fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let len = v.len(); if mid <= len - mid { let mut i = 0; while i < mid { + body_invariant!(i >= 0 && i < v.len()); buf.push(v[i]); i += 1; } @@ -36,18 +66,22 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { let mut out = 0; while left < mid && right < len { + body_invariant!(len <= v.len() && right < len && left < len); + body_invariant!(left + right - mid < v.len()); + body_invariant!(out <= left + right - mid); + body_invariant!(out < v.len()); if v[right] < v[left] { v[out] = v[right]; right += 1; } else { - v[out] = buf[left]; + v[out] = buf.index(left); left += 1; } out += 1; } while left < mid { - v[out] = buf[left]; + v[out] = buf.index(left); out += 1; left += 1; } @@ -63,20 +97,21 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { let mut right = len - mid; let mut out = len; - while v[0] < v[left] && buf[0] < buf[right] { + let argument = 0; + while v[0] < v[left] && buf.index(argument) < buf.index(right) { out -= 1; - if buf[right - 1] < v[left - 1] { + if buf.index(right - 1) < v[left - 1] { left -= 1; v[out] = v[left]; } else { right -= 1; - v[out] = buf[right]; + v[out] = buf.index(right); } } let mut i = 0; while i < right { - v[left] = buf[i]; + v[left] = buf.index(i); i += 1; left += 1; } @@ -89,15 +124,51 @@ struct Run { len: usize, } -fn collapse(runs: &[Run]) -> usize { +struct Runs{ + v: Vec, +} + +impl Runs { + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.v.len() + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn index(&self, index: usize) -> &Run { + &self.v[index] + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn assign(&mut self, index: usize, value: Run) { + self.v[index] = value; + } + + #[trusted] + pub fn push(&mut self, value: Run) { + self.v.push(value); + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn remove(&mut self, index: usize) { + self.v.remove(index); + } +} + +fn collapse(runs: &Runs) -> usize { let n = runs.len(); if n >= 2 - && (runs[n - 1].start == 0 - || runs[n - 2].len <= runs[n - 1].len - || (n >= 3 && runs[n - 3].len <= runs[n - 2].len + runs[n - 1].len) - || (n >= 4 && runs[n - 4].len <= runs[n - 3].len + runs[n - 2].len)) + && (runs.index(n - 1).start == 0 + || runs.index(n - 2).len <= runs.index(n - 1).len + || (n >= 3 && runs.index(n - 3).len <= runs.index(n - 2).len + runs.index(n - 1).len) + || (n >= 4 && runs.index(n - 4).len <= runs.index(n - 3).len + runs.index(n - 2).len)) { - if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } + if n >= 3 && runs.index(n - 3).len < runs.index(n - 1).len { n - 3 } else { n - 2 } } else { n } @@ -128,9 +199,9 @@ fn merge_sort(v: &mut [i32]) { return; } - let mut buf = Vec::with_capacity(len / 2); + let mut buf = Buf{v: Vec::with_capacity(len / 2)}; - let mut runs = vec![]; + let mut runs = Runs{v: vec![]}; let mut end = len; while end > 0 { let mut start = end - 1; @@ -162,17 +233,17 @@ fn merge_sort(v: &mut [i32]) { if r == runs.len() { break; } - let left = runs[r + 1]; - let right = runs[r]; + let left = runs.index(r + 1); + let right = runs.index(r); merge( &mut v[left.start..right.start + right.len], left.len, &mut buf, ); - runs[r] = Run { start: left.start, len: left.len + right.len }; + runs.assign(r, Run { start: left.start, len: left.len + right.len }); runs.remove(r + 1); } } - debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); + debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } \ No newline at end of file From 758b16d335010a90c99b290f91f45b4e58d8c16e Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Fri, 1 Apr 2022 11:27:40 +0200 Subject: [PATCH 06/14] add prusti dependency --- .../cargo_verify/verifying_tim_sort/Cargo.lock | 14 ++++++++++++++ .../cargo_verify/verifying_tim_sort/Cargo.toml | 1 + .../cargo_verify/verifying_tim_sort/src/main.rs | 1 - 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock index 96201446251..1e367c59d2c 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.lock @@ -2,6 +2,20 @@ # It is not intended for manual editing. version = 3 +[[package]] +name = "prusti-contracts" +version = "0.1.0" +dependencies = [ + "prusti-contracts-impl", +] + +[[package]] +name = "prusti-contracts-impl" +version = "0.1.0" + [[package]] name = "verifying_tim_sort" version = "0.1.0" +dependencies = [ + "prusti-contracts", +] diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml index 9418ae949eb..dd44fa7f7b3 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/Cargo.toml @@ -6,3 +6,4 @@ edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] +prusti-contracts = { path = "prusti-contracts" } diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 5b9a0cd068c..b9e9bd53b6a 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,4 +1,3 @@ -extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; From 9efd1b7a18f6988cba237639fa3284bec90d4cd1 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 12 Apr 2022 08:26:55 +0200 Subject: [PATCH 07/14] add out-of-bounds and overflow checks --- .../verifying_tim_sort/src/main.rs | 173 +++++++++--- .../verifying_tim_sort/src/rewritten_code.rs | 260 +++++++++++++++--- 2 files changed, 352 insertions(+), 81 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index b9e9bd53b6a..aab28e83cd5 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,3 +1,4 @@ +extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; @@ -38,38 +39,51 @@ impl Buf { #[trusted] #[requires(0 <= index && index < self.len())] + #[ensures(self.len() == old(self).len())] pub fn index(&self, index: usize) -> i32 { self.v[index] } #[trusted] + #[ensures(self.len() == old(self).len() + 1)] pub fn push(&mut self, value: i32) { self.v.push(value); } } -#[requires(mid >= 0 && mid <= v.len())] +#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let len = v.len(); - if mid <= len - mid { let mut i = 0; while i < mid { - body_invariant!(i >= 0 && i < v.len()); + body_invariant!(i < mid); + body_invariant!(buf.len() == i); + body_invariant!(buf.len() < mid); buf.push(v[i]); i += 1; + assert!(buf.len() <= mid); } + assert!(buf.len() == mid); let mut left = 0; let mut right = mid; let mut out = 0; while left < mid && right < len { - body_invariant!(len <= v.len() && right < len && left < len); + body_invariant!(right < len); + body_invariant!(len == v.len()); + body_invariant!(right < v.len()); + + body_invariant!(left < mid); + body_invariant!(buf.len() == mid); + body_invariant!(left < buf.len()); + body_invariant!(left + right - mid < v.len()); body_invariant!(out <= left + right - mid); body_invariant!(out < v.len()); - if v[right] < v[left] { + + if v[right] < buf.index(left) { v[out] = v[right]; right += 1; } else { @@ -80,24 +94,49 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } while left < mid { + body_invariant!(left < mid); + body_invariant!(v.len() - out >= mid - left); + body_invariant!(out < v.len()); + + body_invariant!(left < mid); + body_invariant!(buf.len() == mid); + body_invariant!(left < buf.len()); + v[out] = buf.index(left); out += 1; left += 1; } - } else { let mut i = mid; while i < len { + body_invariant!(i >= mid && i < len); + body_invariant!(buf.len() == i - mid); + body_invariant!(buf.len() < len - mid); buf.push(v[i]); i += 1; + assert!(buf.len() <= len - mid); } + assert!(buf.len() == len - mid); let mut left = mid; let mut right = len - mid; let mut out = len; - let argument = 0; - while v[0] < v[left] && buf.index(argument) < buf.index(right) { + while left > 0 && right > 0 { + body_invariant!(left >= 1); + body_invariant!(mid <= v.len()); + body_invariant!(left <= mid); + body_invariant!(left <= v.len()); + + body_invariant!(right >= 1); + body_invariant!(right <= len - mid); + body_invariant!(right <= buf.len()); + + body_invariant!(out <= v.len()); + body_invariant!(left + right > 0); + body_invariant!(out == left + right); + body_invariant!(out > 0); + out -= 1; if buf.index(right - 1) < v[left - 1] { left -= 1; @@ -108,11 +147,17 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } } - let mut i = 0; - while i < right { - v[left] = buf.index(i); - i += 1; - left += 1; + while right > 0 { + body_invariant!(right >= 1); + + body_invariant!(right <= len - mid); + body_invariant!(right <= buf.len()); + + body_invariant!(right <= len); + body_invariant!(right <= v.len()); + + right -= 1; + v[right] = buf.index(right); } } } @@ -121,6 +166,37 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { struct Run { start: usize, len: usize, + array_size: usize, +} + +impl Run { + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.len + } + + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn start(&self) -> usize { + self.start + } + + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn array_size(&self) -> usize { + self.array_size + } + + #[trusted] + #[pure] + #[ensures(result >= 0 && result <= self.array_size())] + pub fn run_last_index_exclusive(&self) -> usize { + self.len() + self.start() + } } struct Runs{ @@ -137,6 +213,7 @@ impl Runs { #[trusted] #[requires(0 <= index && index < self.len())] + #[ensures(self.len() == old(self).len())] pub fn index(&self, index: usize) -> &Run { &self.v[index] } @@ -148,17 +225,20 @@ impl Runs { } #[trusted] + #[ensures(self.len() == old(self).len() + 1)] pub fn push(&mut self, value: Run) { self.v.push(value); } #[trusted] #[requires(0 <= index && index < self.len())] + #[ensures(self.len() == old(self).len() - 1)] pub fn remove(&mut self, index: usize) { self.v.remove(index); } } +#[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] fn collapse(runs: &Runs) -> usize { let n = runs.len(); if n >= 2 @@ -182,15 +262,18 @@ fn merge_sort(v: &mut [i32]) { } let len = v.len(); + assert!(len == v.len()); if len <= MAX_INSERTION { if len >= 2 { let mut i = len - 2; loop { + body_invariant!(i >= 0); insert_head(&mut v[i..]); if i == 0 { break; } else { + assert!(i > 0); i -= 1; } } @@ -199,50 +282,68 @@ fn merge_sort(v: &mut [i32]) { } let mut buf = Buf{v: Vec::with_capacity(len / 2)}; - let mut runs = Runs{v: vec![]}; let mut end = len; + assert!(end == v.len()); + while end > 0 { + body_invariant!(end >= 1 && end <= v.len()); let mut start = end - 1; + if start > 0 { start -= 1; - if v.get(start + 1) < v.get(start) { - while start > 0 && v.get(start) < v.get(start - 1) { - start -= 1; + assert!(start < end - 1); + assert!(end <= v.len()); + assert!(start < v.len() - 1); + if v[start + 1] < v[start] { + while start > 0 { + body_invariant!(start >= 1 && start < v.len() - 1); + if !(v[start] < v[start - 1]) { + break; } - v[start..end].reverse(); - } else { - while start > 0 && !(v.get(start) < v.get(start - 1)) - { - start -= 1; + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 { + body_invariant!(start >= 1 && start < v.len() - 1); + if v[start] < v[start - 1] { + break; } + start -= 1; } + } } while start > 0 && end - start < MIN_RUN { + body_invariant!(start >= 1); start -= 1; insert_head(&mut v[start..end]); } - - runs.push(Run { start, len: end - start }); + + runs.push(Run { start, len: end - start, array_size: len }); end = start; - + loop { let r = collapse(&runs); + assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); if r == runs.len() { + assert!(r == runs.len()); break; + } else if runs.len() > 1 && r < runs.len() - 1 { + assert!(runs.len() > 1 && r < runs.len() - 1); + let left = runs.index(r + 1); + let right = runs.index(r); + merge( + &mut v[left.start..right.run_last_index_exclusive()], + left.len, + &mut buf, + ); + //runs.assign(r, Run { start: left.start, len: left.len + right.len, array_size: len }); + runs.remove(r + 1); } - let left = runs.index(r + 1); - let right = runs.index(r); - merge( - &mut v[left.start..right.start + right.len], - left.len, - &mut buf, - ); - runs.assign(r, Run { start: left.start, len: left.len + right.len }); - runs.remove(r + 1); } } - - debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); + + //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs index b9478d0566c..248dc2ba408 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs @@ -1,3 +1,6 @@ +extern crate prusti_contracts; +use prusti_contracts::*; + use std::vec::Vec; pub fn main() { @@ -11,6 +14,7 @@ fn insert_head(v: &mut [i32]) { v[0] = v[1]; let mut i = 2; while i < v.len() { + body_invariant!(i >= 2 && i < v.len()); if !(i < v.len() && v[i] < tmp) { break; } @@ -21,64 +25,137 @@ fn insert_head(v: &mut [i32]) { } } -fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { - let len = v.len(); +struct Buf{ + v: Vec, +} + +impl Buf { + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.v.len() + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + #[ensures(self.len() == old(self).len())] + pub fn index(&self, index: usize) -> i32 { + self.v[index] + } + #[trusted] + #[ensures(self.len() == old(self).len() + 1)] + pub fn push(&mut self, value: i32) { + self.v.push(value); + } +} + +#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { + let len = v.len(); + assert!(len == v.len()); if mid <= len - mid { let mut i = 0; while i < mid { + body_invariant!(i < mid); + body_invariant!(buf.len() == i); + body_invariant!(buf.len() < mid); buf.push(v[i]); i += 1; + assert!(buf.len() <= mid); } + assert!(buf.len() == mid); let mut left = 0; let mut right = mid; let mut out = 0; while left < mid && right < len { - if v[right] < v[left] { + body_invariant!(right < len); + body_invariant!(right < v.len()); + + body_invariant!(left < mid); + body_invariant!(left < buf.len()); + + body_invariant!(left + right - mid < v.len()); + body_invariant!(out <= left + right - mid); + body_invariant!(out < v.len()); + + if v[right] < buf.index(left) { v[out] = v[right]; right += 1; } else { - v[out] = buf[left]; + v[out] = buf.index(left); left += 1; } out += 1; } while left < mid { - v[out] = buf[left]; + body_invariant!(left < mid); + body_invariant!(v.len() - out >= mid - left); + body_invariant!(out < v.len()); + + body_invariant!(left < mid); + body_invariant!(left < buf.len()); + + v[out] = buf.index(left); out += 1; left += 1; } - } else { let mut i = mid; while i < len { + body_invariant!(i >= mid && i < len); + body_invariant!(buf.len() == i - mid); + body_invariant!(buf.len() < len - mid); buf.push(v[i]); i += 1; + assert!(buf.len() <= len - mid); } + assert!(buf.len() == len - mid); let mut left = mid; let mut right = len - mid; let mut out = len; - while v[0] < v[left] && buf[0] < buf[right] { + while left > 0 && right > 0 { + body_invariant!(left >= 1); + body_invariant!(mid <= v.len()); + body_invariant!(left <= mid); + body_invariant!(left <= v.len()); + + body_invariant!(right >= 1); + body_invariant!(right <= len - mid); + body_invariant!(right <= buf.len()); + + body_invariant!(out <= v.len()); + body_invariant!(left + right > 0); + body_invariant!(out == left + right); + body_invariant!(out > 0); + out -= 1; - if buf[right - 1] < v[left - 1] { + if buf.index(right - 1) < v[left - 1] { left -= 1; v[out] = v[left]; } else { right -= 1; - v[out] = buf[right]; + v[out] = buf.index(right); } } - let mut i = 0; - while i < right { - v[left] = buf[i]; - i += 1; - left += 1; + while right > 0 { + body_invariant!(right >= 1); + + body_invariant!(right <= len - mid); + body_invariant!(right <= buf.len()); + + body_invariant!(right <= len); + body_invariant!(right <= v.len()); + + right -= 1; + v[right] = buf.index(right); } } } @@ -87,23 +164,95 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Vec) { struct Run { start: usize, len: usize, + array_size: usize, } -fn collapse(runs: &[Run]) -> usize { +impl Run { + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.len + } + + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn start(&self) -> usize { + self.start + } + + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn array_size(&self) -> usize { + self.array_size + } + + #[trusted] + #[pure] + #[ensures(result >= 0 && result <= self.array_size())] + pub fn run_last_index_exclusive(&self) -> usize { + self.len() + self.start() + } +} + +struct Runs{ + v: Vec, +} + +impl Runs { + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.v.len() + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + #[ensures(self.len() == old(self).len())] + pub fn index(&self, index: usize) -> &Run { + &self.v[index] + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn assign(&mut self, index: usize, value: Run) { + self.v[index] = value; + } + + #[trusted] + #[ensures(self.len() == old(self).len() + 1)] + pub fn push(&mut self, value: Run) { + self.v.push(value); + } + + #[trusted] + #[requires(0 <= index && index < self.len())] + #[ensures(self.len() == old(self).len() - 1)] + pub fn remove(&mut self, index: usize) { + self.v.remove(index); + } +} + +#[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] +fn collapse(runs: &Runs) -> usize { let n = runs.len(); if n >= 2 - && (runs[n - 1].start == 0 - || runs[n - 2].len <= runs[n - 1].len - || (n >= 3 && runs[n - 3].len <= runs[n - 2].len + runs[n - 1].len) - || (n >= 4 && runs[n - 4].len <= runs[n - 3].len + runs[n - 2].len)) + && (runs.index(n - 1).start == 0 + || runs.index(n - 2).len <= runs.index(n - 1).len + || (n >= 3 && runs.index(n - 3).len <= runs.index(n - 2).len + runs.index(n - 1).len) + || (n >= 4 && runs.index(n - 4).len <= runs.index(n - 3).len + runs.index(n - 2).len)) { - if n >= 3 && runs[n - 3].len < runs[n - 1].len { n - 3 } else { n - 2 } + if n >= 3 && runs.index(n - 3).len < runs.index(n - 1).len { n - 3 } else { n - 2 } } else { n } } fn merge_sort(v: &mut [i32]) { + const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; @@ -112,15 +261,18 @@ fn merge_sort(v: &mut [i32]) { } let len = v.len(); + assert!(len == v.len()); if len <= MAX_INSERTION { if len >= 2 { let mut i = len - 2; loop { + body_invariant!(i >= 0); insert_head(&mut v[i..]); if i == 0 { break; } else { + assert!(i > 0); i -= 1; } } @@ -128,51 +280,69 @@ fn merge_sort(v: &mut [i32]) { return; } - let mut buf = Vec::with_capacity(len / 2); - - let mut runs = vec![]; + let mut buf = Buf{v: Vec::with_capacity(len / 2)}; + let mut runs = Runs{v: vec![]}; let mut end = len; + assert!(end == v.len()); + while end > 0 { + body_invariant!(end >= 1 && end <= v.len()); let mut start = end - 1; + if start > 0 { start -= 1; - if v.get(start + 1) < v.get(start) { - while start > 0 && v.get(start) < v.get(start - 1) { - start -= 1; + assert!(start < end - 1); + assert!(end <= v.len()); + assert!(start < v.len() - 1); + if v[start + 1] < v[start] { + while start > 0 { + body_invariant!(start >= 1 && start < v.len() - 1); + if !(v[start] < v[start - 1]) { + break; } - v[start..end].reverse(); - } else { - while start > 0 && !(v.get(start) < v.get(start - 1)) - { - start -= 1; + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 { + body_invariant!(start >= 1 && start < v.len() - 1); + if v[start] < v[start - 1] { + break; } + start -= 1; } + } } while start > 0 && end - start < MIN_RUN { + body_invariant!(start >= 1); start -= 1; insert_head(&mut v[start..end]); } - - runs.push(Run { start, len: end - start }); + + runs.push(Run { start, len: end - start, array_size: len }); end = start; - + loop { let r = collapse(&runs); + assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); if r == runs.len() { + assert!(r == runs.len()); break; + } else if runs.len() > 1 && r < runs.len() - 1 { + assert!(runs.len() > 1 && r < runs.len() - 1); + let left = runs.index(r + 1); + let right = runs.index(r); + merge( + &mut v[left.start..right.run_last_index_exclusive()], + left.len, + &mut buf, + ); + //runs.assign(r, Run { start: left.start, len: left.len + right.len, array_size: len }); + runs.remove(r + 1); } - let left = runs[r + 1]; - let right = runs[r]; - merge( - &mut v[left.start..right.start + right.len], - left.len, - &mut buf, - ); - runs[r] = Run { start: left.start, len: left.len + right.len }; - runs.remove(r + 1); } } - - debug_assert!(runs.len() == 1 && runs[0].start == 0 && runs[0].len == len); + + //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } \ No newline at end of file From 99ab5ff182dac0063e5eace619f35b95d93bb76a Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 19 Apr 2022 07:05:48 +0200 Subject: [PATCH 08/14] verify more parts of the algorithm --- .../verifying_tim_sort/src/main.rs | 268 +++++++++++------- 1 file changed, 173 insertions(+), 95 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index aab28e83cd5..70a5a5b7ec6 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -5,10 +5,11 @@ use std::vec::Vec; pub fn main() { let mut x : [i32; 50] = [5; 50]; - merge_sort(&mut x); + //merge_sort(&mut x); } fn insert_head(v: &mut [i32]) { + /* if v.len() >= 2 && (v[1] < v[0]) { let tmp = v[0]; v[0] = v[1]; @@ -23,6 +24,7 @@ fn insert_head(v: &mut [i32]) { } v[i - 1] = tmp; } + */ } struct Buf{ @@ -30,6 +32,7 @@ struct Buf{ } impl Buf { + /* #[trusted] #[pure] #[ensures(result >= 0)] @@ -38,8 +41,9 @@ impl Buf { } #[trusted] + #[pure] #[requires(0 <= index && index < self.len())] - #[ensures(self.len() == old(self).len())] + //#[ensures(self.len() == old(self).len())] pub fn index(&self, index: usize) -> i32 { self.v[index] } @@ -49,10 +53,12 @@ impl Buf { pub fn push(&mut self, value: i32) { self.v.push(value); } + */ } -#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +//#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { + /* let len = v.len(); if mid <= len - mid { let mut i = 0; @@ -92,7 +98,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } out += 1; } - + while left < mid { body_invariant!(left < mid); body_invariant!(v.len() - out >= mid - left); @@ -160,47 +166,13 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { v[right] = buf.index(right); } } -} - -#[derive(Clone, Copy)] -struct Run { - start: usize, - len: usize, - array_size: usize, -} - -impl Run { - #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn len(&self) -> usize { - self.len - } - - #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn start(&self) -> usize { - self.start - } - - #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn array_size(&self) -> usize { - self.array_size - } - - #[trusted] - #[pure] - #[ensures(result >= 0 && result <= self.array_size())] - pub fn run_last_index_exclusive(&self) -> usize { - self.len() + self.start() - } + */ } struct Runs{ - v: Vec, + start: Vec, + len: Vec, + runs_sum: usize, } impl Runs { @@ -208,52 +180,103 @@ impl Runs { #[pure] #[ensures(result >= 0)] pub fn len(&self) -> usize { - self.v.len() + self.len.len() } - - #[trusted] - #[requires(0 <= index && index < self.len())] - #[ensures(self.len() == old(self).len())] - pub fn index(&self, index: usize) -> &Run { - &self.v[index] + + #[requires(self.runs_sum + value <= usize::MAX)] + #[ensures(self.runs_sum == old(self.runs_sum) + value)] + #[ensures(self.runs_sum <= usize::MAX)] + pub fn add_runs_sum(&mut self, value: usize) { + self.runs_sum += value; } + // #[pure] + // #[trusted] + // #[requires(0 <= index && index < self.len())] + // pub fn index_start(&self, index: usize) -> usize { + // self.start[index] + // } + + #[pure] #[trusted] #[requires(0 <= index && index < self.len())] - pub fn assign(&mut self, index: usize, value: Run) { - self.v[index] = value; + pub fn index_len(&self, index: usize) -> usize { + self.len[index] } #[trusted] - #[ensures(self.len() == old(self).len() + 1)] - pub fn push(&mut self, value: Run) { - self.v.push(value); + #[requires(2 * new_len <= usize::MAX)] + #[requires(2 * (self.runs_sum + new_len) <= usize::MAX)] + #[ensures(self.len() == old(self.len()) + 1)] + #[ensures(self.runs_sum == old(self.runs_sum) + new_len)] + #[ensures(new_len <= self.runs_sum)] + #[ensures(2 * (self.runs_sum) <= usize::MAX)] + #[ensures(self.index_len(self.len() - 1) == new_len)] + #[ensures(self.runs_sum == old(self.runs_sum) + self.index_len(self.len() - 1))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> 2 * self.index_len(i) <= usize::MAX)))] + pub fn push(&mut self, new_start: usize, new_len: usize) { + self.add_runs_sum(new_len); + self.start.push(new_start); + self.len.push(new_len); } - #[trusted] - #[requires(0 <= index && index < self.len())] - #[ensures(self.len() == old(self).len() - 1)] - pub fn remove(&mut self, index: usize) { - self.v.remove(index); - } -} -#[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] -fn collapse(runs: &Runs) -> usize { - let n = runs.len(); - if n >= 2 - && (runs.index(n - 1).start == 0 - || runs.index(n - 2).len <= runs.index(n - 1).len - || (n >= 3 && runs.index(n - 3).len <= runs.index(n - 2).len + runs.index(n - 1).len) - || (n >= 4 && runs.index(n - 4).len <= runs.index(n - 3).len + runs.index(n - 2).len)) - { - if n >= 3 && runs.index(n - 3).len < runs.index(n - 1).len { n - 3 } else { n - 2 } - } else { - n - } + // #[trusted] + // #[requires(0 <= index && index < self.len() - 1)] + // #[requires(new_len == self.index_len(index) + self.index_len(index + 1))] + // #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] + // #[ensures(self.len() == old(self.len()) - 1)] + // #[ensures(self.runs_sum == old(self.runs_sum))] + // #[ensures(2 * (self.runs_sum) <= usize::MAX)] + // #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> 2 * self.index_len(i) <= usize::MAX)))] + // pub fn merge(&mut self, index: usize, new_start: usize, new_len: usize) { + // self.start[index] = new_start; + // self.len[index] = new_len; + // self.start.remove(index + 1); + // self.len.remove(index + 1); + // } } -fn merge_sort(v: &mut [i32]) { +// #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> 2 * runs.index_len(i) <= usize::MAX)))] +// #[requires(2 * runs.runs_sum <= usize::MAX)] +// #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] +// fn collapse(runs: &Runs) -> usize { +// let n = runs.len(); +// if n >= 2 { +// assert!(n >= 2 && n <= runs.len()); +// if runs.index_start(n - 1) == 0 { +// return n - 2; +// } else if runs.index_len(n - 2) <= runs.index_len(n - 1) { +// return n - 2; +// } else if n >= 3 { +// assert!(n >= 3 && n <= runs.len()); +// assert!(runs.index_len(n - 2) <= usize::MAX); +// assert!(runs.runs_sum <= usize::MAX); +// //assert!(runs.index_len(n - 2) + runs.index_len(n - 1) <= usize::MAX); +// if runs.index_len(n - 3) <= runs.index_len(n - 2) + runs.index_len(n - 1) { +// if runs.index_len(n - 3) < runs.index_len(n - 1) { +// return n - 3; +// } else { +// return n - 2; +// } +// } else if n >= 4 { +// assert!(n >= 4 && n <= runs.len()); +// if runs.index_len(n - 4) <= runs.index_len(n - 3) + runs.index_len(n - 2) { +// if runs.index_len(n - 3) < runs.index_len(n - 1) { +// return n - 3; +// } else { +// return n - 2; +// } +// } +// } +// } +// } +// return n; +// } + +#[requires(runs.len() == 0 && runs.runs_sum == 0)] +#[requires(2 * v.len() <= usize::MAX)] +fn merge_sort(v: &mut [i32], runs: &mut Runs) { const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; @@ -262,8 +285,7 @@ fn merge_sort(v: &mut [i32]) { } let len = v.len(); - assert!(len == v.len()); - + //assert!(len == v.len()); if len <= MAX_INSERTION { if len >= 2 { let mut i = len - 2; @@ -273,23 +295,34 @@ fn merge_sort(v: &mut [i32]) { if i == 0 { break; } else { - assert!(i > 0); + //assert!(i > 0); i -= 1; } } } return; } - + let mut buf = Buf{v: Vec::with_capacity(len / 2)}; - let mut runs = Runs{v: vec![]}; + //let mut runs = Runs{start: vec![], len:vec![], runs_sum: 0}; let mut end = len; - assert!(end == v.len()); - + //assert!(end == v.len()); + assert!(v.len() >= 1); + assert!(runs.runs_sum == 0); + assert!(runs.len() == 0); + + let mut cur_runs_len = 0; while end > 0 { body_invariant!(end >= 1 && end <= v.len()); + body_invariant!(cur_runs_len == runs.runs_sum); + body_invariant!(cur_runs_len == v.len() - end); + body_invariant!(runs.runs_sum == v.len() - end); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> 2 * runs.index_len(i) <= usize::MAX))); + + let mut start = end - 1; - + assert!(start < end); + if start > 0 { start -= 1; assert!(start < end - 1); @@ -297,16 +330,18 @@ fn merge_sort(v: &mut [i32]) { assert!(start < v.len() - 1); if v[start + 1] < v[start] { while start > 0 { - body_invariant!(start >= 1 && start < v.len() - 1); + body_invariant!(cur_runs_len == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); if !(v[start] < v[start - 1]) { break; } start -= 1; } - v[start..end].reverse(); + //v[start..end].reverse(); } else { while start > 0 { - body_invariant!(start >= 1 && start < v.len() - 1); + body_invariant!(cur_runs_len == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); if v[start] < v[start - 1] { break; } @@ -315,35 +350,78 @@ fn merge_sort(v: &mut [i32]) { } } + while start > 0 && end - start < MIN_RUN { - body_invariant!(start >= 1); + body_invariant!(cur_runs_len == v.len() - end); + body_invariant!(start >= 1 && end <= v.len() && start < end); start -= 1; insert_head(&mut v[start..end]); } - runs.push(Run { start, len: end - start, array_size: len }); + + assert!(cur_runs_len == runs.runs_sum); + assert!(cur_runs_len == v.len() - end); + assert!(runs.runs_sum == v.len() - end); + + let new_len = end - start; + assert!(2 * new_len <= usize::MAX); + + assert!(cur_runs_len + new_len <= v.len()); + assert!(runs.runs_sum + new_len <= v.len()); + assert!(2 * (cur_runs_len + new_len) <= usize::MAX); + assert!(2 * (runs.runs_sum + new_len) <= usize::MAX); + + cur_runs_len += new_len; + runs.push(start, new_len); + + assert!(cur_runs_len == v.len() - start); + end = start; + + assert!(cur_runs_len == runs.runs_sum); + assert!(cur_runs_len == v.len() - end); + assert!(runs.runs_sum == v.len() - end); + assert!(2 * cur_runs_len <= usize::MAX); + assert!(2 * runs.runs_sum <= usize::MAX); + /* loop { + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> 2 * runs.index_len(i) <= usize::MAX))); + //body_invariant!(2 * runs.runs_sum <= usize::MAX); + let r = collapse(&runs); assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); + if r == runs.len() { assert!(r == runs.len()); break; } else if runs.len() > 1 && r < runs.len() - 1 { assert!(runs.len() > 1 && r < runs.len() - 1); - let left = runs.index(r + 1); - let right = runs.index(r); + let left_start = runs.index_start(r + 1); + let left_len = runs.index_len(r + 1); + let right_start = runs.index_start(r); + let right_len = runs.index_len(r); + + /* merge( - &mut v[left.start..right.run_last_index_exclusive()], - left.len, + &mut v[left_start..right_start + right_len], + left_len, &mut buf, ); - //runs.assign(r, Run { start: left.start, len: left.len + right.len, array_size: len }); - runs.remove(r + 1); + */ + runs.merge(r, left_start, left_len + right_len); + //is part of upper function runs.remove(r + 1); } + } + */ } - //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); +} + +#[trusted] +#[requires(2 * v.len() <= usize::MAX)] +fn start(v: &mut [i32]) { + let mut runs = Runs{start: vec![], len:vec![], runs_sum: 0}; + merge_sort(v, &mut runs); } \ No newline at end of file From 5be2b1b8b83f3b9a662ca6e10c51aa64bc1cf917 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Fri, 22 Apr 2022 06:09:18 +0200 Subject: [PATCH 09/14] finish verification of absence of panics and overflows --- .../verifying_tim_sort/src/main.rs | 477 +++++++++++------- .../verifying_tim_sort/src/rewritten_code.rs | 420 ++++++++++----- 2 files changed, 591 insertions(+), 306 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 70a5a5b7ec6..74c55eb38ce 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,15 +1,13 @@ -extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; pub fn main() { let mut x : [i32; 50] = [5; 50]; - //merge_sort(&mut x); + merge_sort(&mut x); } fn insert_head(v: &mut [i32]) { - /* if v.len() >= 2 && (v[1] < v[0]) { let tmp = v[0]; v[0] = v[1]; @@ -24,7 +22,6 @@ fn insert_head(v: &mut [i32]) { } v[i - 1] = tmp; } - */ } struct Buf{ @@ -32,7 +29,12 @@ struct Buf{ } impl Buf { - /* + #[trusted] + #[ensures(result.len() == 0)] + pub fn new(len: usize) -> Buf { + Buf {v: Vec::with_capacity(len / 2)} + } + #[trusted] #[pure] #[ensures(result >= 0)] @@ -43,7 +45,6 @@ impl Buf { #[trusted] #[pure] #[requires(0 <= index && index < self.len())] - //#[ensures(self.len() == old(self).len())] pub fn index(&self, index: usize) -> i32 { self.v[index] } @@ -53,16 +54,17 @@ impl Buf { pub fn push(&mut self, value: i32) { self.v.push(value); } - */ } -//#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +#[ensures(v.len() == old(v.len()))] fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { - /* let len = v.len(); if mid <= len - mid { let mut i = 0; while i < mid { + body_invariant!(v.len() == len); + body_invariant!(i < mid); body_invariant!(buf.len() == i); body_invariant!(buf.len() < mid); @@ -77,6 +79,8 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let mut out = 0; while left < mid && right < len { + body_invariant!(v.len() == len); + body_invariant!(right < len); body_invariant!(len == v.len()); body_invariant!(right < v.len()); @@ -98,8 +102,12 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } out += 1; } + + assert!(v.len() == len); while left < mid { + body_invariant!(v.len() == len); + body_invariant!(left < mid); body_invariant!(v.len() - out >= mid - left); body_invariant!(out < v.len()); @@ -112,9 +120,13 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { out += 1; left += 1; } + + assert!(v.len() == len); } else { let mut i = mid; while i < len { + body_invariant!(v.len() == len); + body_invariant!(i >= mid && i < len); body_invariant!(buf.len() == i - mid); body_invariant!(buf.len() < len - mid); @@ -129,6 +141,8 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let mut out = len; while left > 0 && right > 0 { + body_invariant!(v.len() == len); + body_invariant!(left >= 1); body_invariant!(mid <= v.len()); body_invariant!(left <= mid); @@ -153,7 +167,11 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } } + assert!(v.len() == len); + while right > 0 { + body_invariant!(v.len() == len); + body_invariant!(right >= 1); body_invariant!(right <= len - mid); @@ -165,37 +183,58 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { right -= 1; v[right] = buf.index(right); } + + assert!(v.len() == len); } - */ } struct Runs{ start: Vec, len: Vec, - runs_sum: usize, + runs_sum_cur: usize, + runs_sum_max: usize, } impl Runs { + #[trusted] + #[requires(runs_sum_max <= usize::MAX)] + #[ensures(result.len() == 0)] + #[ensures(result.get_runs_sum_cur() == 0)] + #[ensures(result.get_runs_sum_max() == runs_sum_max)] + pub fn new(runs_sum_max: usize) -> Runs { + Runs {start: vec![], len: vec![], runs_sum_cur: 0, runs_sum_max} + } + #[trusted] #[pure] #[ensures(result >= 0)] pub fn len(&self) -> usize { self.len.len() } + + #[pure] + pub fn get_runs_sum_cur(&self) -> usize { + self.runs_sum_cur + } + + #[pure] + pub fn get_runs_sum_max(&self) -> usize { + self.runs_sum_max + } - #[requires(self.runs_sum + value <= usize::MAX)] - #[ensures(self.runs_sum == old(self.runs_sum) + value)] - #[ensures(self.runs_sum <= usize::MAX)] - pub fn add_runs_sum(&mut self, value: usize) { - self.runs_sum += value; + #[requires(self.get_runs_sum_cur() + value <= self.get_runs_sum_max())] + #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()) + value)] + #[ensures(self.get_runs_sum_cur() <= self.get_runs_sum_max())] + pub fn add_runs_sum_cur(&mut self, value: usize) { + self.runs_sum_cur += value; } - // #[pure] - // #[trusted] - // #[requires(0 <= index && index < self.len())] - // pub fn index_start(&self, index: usize) -> usize { - // self.start[index] - // } + #[pure] + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn index_start(&self, index: usize) -> usize { + self.start[index] + } #[pure] #[trusted] @@ -203,191 +242,255 @@ impl Runs { pub fn index_len(&self, index: usize) -> usize { self.len[index] } - + #[trusted] - #[requires(2 * new_len <= usize::MAX)] - #[requires(2 * (self.runs_sum + new_len) <= usize::MAX)] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] + #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] #[ensures(self.len() == old(self.len()) + 1)] - #[ensures(self.runs_sum == old(self.runs_sum) + new_len)] - #[ensures(new_len <= self.runs_sum)] - #[ensures(2 * (self.runs_sum) <= usize::MAX)] #[ensures(self.index_len(self.len() - 1) == new_len)] - #[ensures(self.runs_sum == old(self.runs_sum) + self.index_len(self.len() - 1))] - #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> 2 * self.index_len(i) <= usize::MAX)))] + #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] + #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] pub fn push(&mut self, new_start: usize, new_len: usize) { - self.add_runs_sum(new_len); + self.add_runs_sum_cur(new_len); self.start.push(new_start); self.len.push(new_len); } - // #[trusted] - // #[requires(0 <= index && index < self.len() - 1)] - // #[requires(new_len == self.index_len(index) + self.index_len(index + 1))] - // #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] - // #[ensures(self.len() == old(self.len()) - 1)] - // #[ensures(self.runs_sum == old(self.runs_sum))] - // #[ensures(2 * (self.runs_sum) <= usize::MAX)] - // #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> 2 * self.index_len(i) <= usize::MAX)))] - // pub fn merge(&mut self, index: usize, new_start: usize, new_len: usize) { - // self.start[index] = new_start; - // self.len[index] = new_len; - // self.start.remove(index + 1); - // self.len.remove(index + 1); - // } + #[trusted] + #[requires(0 <= index && index < self.len() - 1)] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[ensures(self.len() == old(self.len()) - 1)] + #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] + #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] + #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + pub fn merge(&mut self, index: usize) { + let new_start = self.index_start(index + 1); + let new_len = self.index_len(index) + self.index_len(index + 1); + self.start[index] = new_start; + self.len[index] = new_len; + self.start.remove(index + 1); + self.len.remove(index + 1); + } +} + +#[trusted] +#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] +fn collapse(runs: &Runs) -> usize { + let n = runs.len(); + if n >= 2 { + assert!(n >= 2 && n <= runs.len()); + if runs.index_start(n - 1) == 0 { + return n - 2; + } else if runs.index_len(n - 2) <= runs.index_len(n - 1) { + return n - 2; + } else if n >= 3 { + assert!(n >= 3 && n <= runs.len()); + assert!(runs.index_len(n - 2) <= usize::MAX); + if runs.index_len(n - 3) <= runs.index_len(n - 2) + runs.index_len(n - 1) { + if runs.index_len(n - 3) < runs.index_len(n - 1) { + return n - 3; + } else { + return n - 2; + } + } else if n >= 4 { + assert!(n >= 4 && n <= runs.len()); + if runs.index_len(n - 4) <= runs.index_len(n - 3) + runs.index_len(n - 2) { + if runs.index_len(n - 3) < runs.index_len(n - 1) { + return n - 3; + } else { + return n - 2; + } + } + } + } + } + return n; } -// #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> 2 * runs.index_len(i) <= usize::MAX)))] -// #[requires(2 * runs.runs_sum <= usize::MAX)] -// #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] -// fn collapse(runs: &Runs) -> usize { -// let n = runs.len(); -// if n >= 2 { -// assert!(n >= 2 && n <= runs.len()); -// if runs.index_start(n - 1) == 0 { -// return n - 2; -// } else if runs.index_len(n - 2) <= runs.index_len(n - 1) { -// return n - 2; -// } else if n >= 3 { -// assert!(n >= 3 && n <= runs.len()); -// assert!(runs.index_len(n - 2) <= usize::MAX); -// assert!(runs.runs_sum <= usize::MAX); -// //assert!(runs.index_len(n - 2) + runs.index_len(n - 1) <= usize::MAX); -// if runs.index_len(n - 3) <= runs.index_len(n - 2) + runs.index_len(n - 1) { -// if runs.index_len(n - 3) < runs.index_len(n - 1) { -// return n - 3; -// } else { -// return n - 2; -// } -// } else if n >= 4 { -// assert!(n >= 4 && n <= runs.len()); -// if runs.index_len(n - 4) <= runs.index_len(n - 3) + runs.index_len(n - 2) { -// if runs.index_len(n - 3) < runs.index_len(n - 1) { -// return n - 3; -// } else { -// return n - 2; -// } -// } -// } -// } -// } -// return n; -// } - -#[requires(runs.len() == 0 && runs.runs_sum == 0)] +#[trusted] #[requires(2 * v.len() <= usize::MAX)] -fn merge_sort(v: &mut [i32], runs: &mut Runs) { +fn sort_small_array(v: &mut [i32]) { + let len = v.len(); + if len >= 2 { + let mut i = len - 2; + loop { + body_invariant!(i >= 0); + insert_head(&mut v[i..]); + if i == 0 { + break; + } else { + i -= 1; + } + } + } +} + +#[trusted] +#[requires(v.len() <= usize::MAX)] +#[requires(runs.get_runs_sum_max() == v.len())] +#[requires(end >= 1 && end <= v.len())] +#[requires(runs.get_runs_sum_cur() == v.len() - end)] +#[requires(MIN_RUN < 100)] +#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] +#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(runs.len() == old(runs.len()) + 1)] +#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] +#[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(result >= 0 && result < v.len())] +#[ensures(runs.get_runs_sum_cur() == v.len() - result)] +#[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] +#[ensures(v.len() == old(v.len()))] +#[ensures(runs.get_runs_sum_max() == v.len())] +fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { + let mut start = end - 1; + assert!(start < end); + + if start > 0 { + start -= 1; + assert!(start < end - 1); + assert!(end <= v.len()); + assert!(start < v.len() - 1); + if v[start + 1] < v[start] { + while start > 0 { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + if !(v[start] < v[start - 1]) { + break; + } + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + if v[start] < v[start - 1] { + break; + } + start -= 1; + } + } + } + + + while start > 0 && end - start < MIN_RUN { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && end <= v.len() && start < end); + start -= 1; + insert_head(&mut v[start..end]); + } + + assert!(runs.get_runs_sum_cur() == v.len() - end); + + assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); + assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); + assert!(start < end); + assert!(runs.len() == 0 || start < runs.index_start(runs.len() - 1)); + + let new_len = end - start; + assert!(start + new_len <= v.len()); + assert!(start + new_len <= runs.get_runs_sum_max()); + + assert!(start + new_len == end); + assert!(start + new_len == runs.index_start(runs.len() - 1)); + + runs.push(start, new_len); + end = start; + + assert!(runs.get_runs_sum_cur() == v.len() - end); + + return end; +} + +#[requires(v.len() <= usize::MAX)] +fn merge_sort(v: &mut [i32]) { const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; + let MIN_RUN_COPY = MIN_RUN; if v.len() == 0 { return; } let len = v.len(); - //assert!(len == v.len()); if len <= MAX_INSERTION { - if len >= 2 { - let mut i = len - 2; - loop { - body_invariant!(i >= 0); - insert_head(&mut v[i..]); - if i == 0 { - break; - } else { - //assert!(i > 0); - i -= 1; - } - } - } + sort_small_array(v); return; } - let mut buf = Buf{v: Vec::with_capacity(len / 2)}; - //let mut runs = Runs{start: vec![], len:vec![], runs_sum: 0}; - let mut end = len; - //assert!(end == v.len()); + let mut buf = Buf::new(len / 2); + let mut runs = Runs::new(v.len()); + assert!(v.len() >= 1); - assert!(runs.runs_sum == 0); assert!(runs.len() == 0); + assert!(runs.get_runs_sum_cur() == 0); + assert!(runs.get_runs_sum_max() == v.len()); - let mut cur_runs_len = 0; + let mut end = len; while end > 0 { + body_invariant!(buf.len() == 0); body_invariant!(end >= 1 && end <= v.len()); - body_invariant!(cur_runs_len == runs.runs_sum); - body_invariant!(cur_runs_len == v.len() - end); - body_invariant!(runs.runs_sum == v.len() - end); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> 2 * runs.index_len(i) <= usize::MAX))); - - - let mut start = end - 1; - assert!(start < end); - - if start > 0 { - start -= 1; - assert!(start < end - 1); - assert!(end <= v.len()); - assert!(start < v.len() - 1); - if v[start + 1] < v[start] { - while start > 0 { - body_invariant!(cur_runs_len == v.len() - end); - body_invariant!(start >= 1 && start < v.len() - 1 && start < end); - if !(v[start] < v[start - 1]) { - break; - } - start -= 1; - } - //v[start..end].reverse(); - } else { - while start > 0 { - body_invariant!(cur_runs_len == v.len() - end); - body_invariant!(start >= 1 && start < v.len() - 1 && start < end); - if v[start] < v[start - 1] { - break; - } - start -= 1; - } - } - } - - - while start > 0 && end - start < MIN_RUN { - body_invariant!(cur_runs_len == v.len() - end); - body_invariant!(start >= 1 && end <= v.len() && start < end); - start -= 1; - insert_head(&mut v[start..end]); - } - - - assert!(cur_runs_len == runs.runs_sum); - assert!(cur_runs_len == v.len() - end); - assert!(runs.runs_sum == v.len() - end); - - let new_len = end - start; - assert!(2 * new_len <= usize::MAX); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() < runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + + assert!(end >= 1 && end <= v.len()); + end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); + assert!(runs.get_runs_sum_cur() == v.len() - end); + assert!(runs.get_runs_sum_max() == v.len()); - assert!(cur_runs_len + new_len <= v.len()); - assert!(runs.runs_sum + new_len <= v.len()); - assert!(2 * (cur_runs_len + new_len) <= usize::MAX); - assert!(2 * (runs.runs_sum + new_len) <= usize::MAX); - cur_runs_len += new_len; - runs.push(start, new_len); - - assert!(cur_runs_len == v.len() - start); - - end = start; - - assert!(cur_runs_len == runs.runs_sum); - assert!(cur_runs_len == v.len() - end); - assert!(runs.runs_sum == v.len() - end); - assert!(2 * cur_runs_len <= usize::MAX); - assert!(2 * runs.runs_sum <= usize::MAX); - - /* loop { - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> 2 * runs.index_len(i) <= usize::MAX))); - //body_invariant!(2 * runs.runs_sum <= usize::MAX); + body_invariant!(buf.len() == 0); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); let r = collapse(&runs); assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); @@ -402,26 +505,26 @@ fn merge_sort(v: &mut [i32], runs: &mut Runs) { let right_start = runs.index_start(r); let right_len = runs.index_len(r); - /* + assert!(left_start < right_start); + assert!(right_start + right_len <= runs.get_runs_sum_max()); + assert!(right_start + right_len <= v.len()); + + assert!(left_start + left_len == right_start); + merge( &mut v[left_start..right_start + right_len], left_len, &mut buf, ); - */ - runs.merge(r, left_start, left_len + right_len); - //is part of upper function runs.remove(r + 1); + + buf = Buf::new(len / 2); + assert!(buf.len() == 0); + + runs.merge(r); } } - */ + } //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); -} - -#[trusted] -#[requires(2 * v.len() <= usize::MAX)] -fn start(v: &mut [i32]) { - let mut runs = Runs{start: vec![], len:vec![], runs_sum: 0}; - merge_sort(v, &mut runs); } \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs index 248dc2ba408..74c55eb38ce 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/rewritten_code.rs @@ -1,4 +1,3 @@ -extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; @@ -30,6 +29,12 @@ struct Buf{ } impl Buf { + #[trusted] + #[ensures(result.len() == 0)] + pub fn new(len: usize) -> Buf { + Buf {v: Vec::with_capacity(len / 2)} + } + #[trusted] #[pure] #[ensures(result >= 0)] @@ -38,8 +43,8 @@ impl Buf { } #[trusted] + #[pure] #[requires(0 <= index && index < self.len())] - #[ensures(self.len() == old(self).len())] pub fn index(&self, index: usize) -> i32 { self.v[index] } @@ -52,12 +57,14 @@ impl Buf { } #[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +#[ensures(v.len() == old(v.len()))] fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let len = v.len(); - assert!(len == v.len()); if mid <= len - mid { let mut i = 0; while i < mid { + body_invariant!(v.len() == len); + body_invariant!(i < mid); body_invariant!(buf.len() == i); body_invariant!(buf.len() < mid); @@ -72,10 +79,14 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let mut out = 0; while left < mid && right < len { + body_invariant!(v.len() == len); + body_invariant!(right < len); + body_invariant!(len == v.len()); body_invariant!(right < v.len()); body_invariant!(left < mid); + body_invariant!(buf.len() == mid); body_invariant!(left < buf.len()); body_invariant!(left + right - mid < v.len()); @@ -92,21 +103,30 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { out += 1; } + assert!(v.len() == len); + while left < mid { + body_invariant!(v.len() == len); + body_invariant!(left < mid); body_invariant!(v.len() - out >= mid - left); body_invariant!(out < v.len()); body_invariant!(left < mid); + body_invariant!(buf.len() == mid); body_invariant!(left < buf.len()); v[out] = buf.index(left); out += 1; left += 1; } + + assert!(v.len() == len); } else { let mut i = mid; while i < len { + body_invariant!(v.len() == len); + body_invariant!(i >= mid && i < len); body_invariant!(buf.len() == i - mid); body_invariant!(buf.len() < len - mid); @@ -121,6 +141,8 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let mut out = len; while left > 0 && right > 0 { + body_invariant!(v.len() == len); + body_invariant!(left >= 1); body_invariant!(mid <= v.len()); body_invariant!(left <= mid); @@ -145,7 +167,11 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } } + assert!(v.len() == len); + while right > 0 { + body_invariant!(v.len() == len); + body_invariant!(right >= 1); body_invariant!(right <= len - mid); @@ -157,192 +183,348 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { right -= 1; v[right] = buf.index(right); } + + assert!(v.len() == len); } } -#[derive(Clone, Copy)] -struct Run { - start: usize, - len: usize, - array_size: usize, +struct Runs{ + start: Vec, + len: Vec, + runs_sum_cur: usize, + runs_sum_max: usize, } -impl Run { +impl Runs { #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn len(&self) -> usize { - self.len + #[requires(runs_sum_max <= usize::MAX)] + #[ensures(result.len() == 0)] + #[ensures(result.get_runs_sum_cur() == 0)] + #[ensures(result.get_runs_sum_max() == runs_sum_max)] + pub fn new(runs_sum_max: usize) -> Runs { + Runs {start: vec![], len: vec![], runs_sum_cur: 0, runs_sum_max} } #[trusted] #[pure] #[ensures(result >= 0)] - pub fn start(&self) -> usize { - self.start + pub fn len(&self) -> usize { + self.len.len() } - #[trusted] #[pure] - #[ensures(result >= 0)] - pub fn array_size(&self) -> usize { - self.array_size + pub fn get_runs_sum_cur(&self) -> usize { + self.runs_sum_cur } - #[trusted] #[pure] - #[ensures(result >= 0 && result <= self.array_size())] - pub fn run_last_index_exclusive(&self) -> usize { - self.len() + self.start() + pub fn get_runs_sum_max(&self) -> usize { + self.runs_sum_max } -} - -struct Runs{ - v: Vec, -} - -impl Runs { - #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn len(&self) -> usize { - self.v.len() + + #[requires(self.get_runs_sum_cur() + value <= self.get_runs_sum_max())] + #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()) + value)] + #[ensures(self.get_runs_sum_cur() <= self.get_runs_sum_max())] + pub fn add_runs_sum_cur(&mut self, value: usize) { + self.runs_sum_cur += value; } + #[pure] #[trusted] #[requires(0 <= index && index < self.len())] - #[ensures(self.len() == old(self).len())] - pub fn index(&self, index: usize) -> &Run { - &self.v[index] + pub fn index_start(&self, index: usize) -> usize { + self.start[index] } + #[pure] #[trusted] #[requires(0 <= index && index < self.len())] - pub fn assign(&mut self, index: usize, value: Run) { - self.v[index] = value; + pub fn index_len(&self, index: usize) -> usize { + self.len[index] } - + #[trusted] - #[ensures(self.len() == old(self).len() + 1)] - pub fn push(&mut self, value: Run) { - self.v.push(value); + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] + #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[ensures(self.len() == old(self.len()) + 1)] + #[ensures(self.index_len(self.len() - 1) == new_len)] + #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] + #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + pub fn push(&mut self, new_start: usize, new_len: usize) { + self.add_runs_sum_cur(new_len); + self.start.push(new_start); + self.len.push(new_len); } + #[trusted] - #[requires(0 <= index && index < self.len())] - #[ensures(self.len() == old(self).len() - 1)] - pub fn remove(&mut self, index: usize) { - self.v.remove(index); + #[requires(0 <= index && index < self.len() - 1)] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[ensures(self.len() == old(self.len()) - 1)] + #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] + #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] + #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + pub fn merge(&mut self, index: usize) { + let new_start = self.index_start(index + 1); + let new_len = self.index_len(index) + self.index_len(index + 1); + self.start[index] = new_start; + self.len[index] = new_len; + self.start.remove(index + 1); + self.len.remove(index + 1); } } +#[trusted] +#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] fn collapse(runs: &Runs) -> usize { let n = runs.len(); - if n >= 2 - && (runs.index(n - 1).start == 0 - || runs.index(n - 2).len <= runs.index(n - 1).len - || (n >= 3 && runs.index(n - 3).len <= runs.index(n - 2).len + runs.index(n - 1).len) - || (n >= 4 && runs.index(n - 4).len <= runs.index(n - 3).len + runs.index(n - 2).len)) - { - if n >= 3 && runs.index(n - 3).len < runs.index(n - 1).len { n - 3 } else { n - 2 } - } else { - n + if n >= 2 { + assert!(n >= 2 && n <= runs.len()); + if runs.index_start(n - 1) == 0 { + return n - 2; + } else if runs.index_len(n - 2) <= runs.index_len(n - 1) { + return n - 2; + } else if n >= 3 { + assert!(n >= 3 && n <= runs.len()); + assert!(runs.index_len(n - 2) <= usize::MAX); + if runs.index_len(n - 3) <= runs.index_len(n - 2) + runs.index_len(n - 1) { + if runs.index_len(n - 3) < runs.index_len(n - 1) { + return n - 3; + } else { + return n - 2; + } + } else if n >= 4 { + assert!(n >= 4 && n <= runs.len()); + if runs.index_len(n - 4) <= runs.index_len(n - 3) + runs.index_len(n - 2) { + if runs.index_len(n - 3) < runs.index_len(n - 1) { + return n - 3; + } else { + return n - 2; + } + } + } + } } + return n; } -fn merge_sort(v: &mut [i32]) { +#[trusted] +#[requires(2 * v.len() <= usize::MAX)] +fn sort_small_array(v: &mut [i32]) { + let len = v.len(); + if len >= 2 { + let mut i = len - 2; + loop { + body_invariant!(i >= 0); + insert_head(&mut v[i..]); + if i == 0 { + break; + } else { + i -= 1; + } + } + } +} + +#[trusted] +#[requires(v.len() <= usize::MAX)] +#[requires(runs.get_runs_sum_max() == v.len())] +#[requires(end >= 1 && end <= v.len())] +#[requires(runs.get_runs_sum_cur() == v.len() - end)] +#[requires(MIN_RUN < 100)] +#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] +#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(runs.len() == old(runs.len()) + 1)] +#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] +#[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(result >= 0 && result < v.len())] +#[ensures(runs.get_runs_sum_cur() == v.len() - result)] +#[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] +#[ensures(v.len() == old(v.len()))] +#[ensures(runs.get_runs_sum_max() == v.len())] +fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { + let mut start = end - 1; + assert!(start < end); + if start > 0 { + start -= 1; + assert!(start < end - 1); + assert!(end <= v.len()); + assert!(start < v.len() - 1); + if v[start + 1] < v[start] { + while start > 0 { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + if !(v[start] < v[start - 1]) { + break; + } + start -= 1; + } + v[start..end].reverse(); + } else { + while start > 0 { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + if v[start] < v[start - 1] { + break; + } + start -= 1; + } + } + } + + + while start > 0 && end - start < MIN_RUN { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && end <= v.len() && start < end); + start -= 1; + insert_head(&mut v[start..end]); + } + + assert!(runs.get_runs_sum_cur() == v.len() - end); + + assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); + assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); + assert!(start < end); + assert!(runs.len() == 0 || start < runs.index_start(runs.len() - 1)); + + let new_len = end - start; + assert!(start + new_len <= v.len()); + assert!(start + new_len <= runs.get_runs_sum_max()); + + assert!(start + new_len == end); + assert!(start + new_len == runs.index_start(runs.len() - 1)); + + runs.push(start, new_len); + end = start; + + assert!(runs.get_runs_sum_cur() == v.len() - end); + + return end; +} + +#[requires(v.len() <= usize::MAX)] +fn merge_sort(v: &mut [i32]) { const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; + let MIN_RUN_COPY = MIN_RUN; if v.len() == 0 { return; } let len = v.len(); - assert!(len == v.len()); - if len <= MAX_INSERTION { - if len >= 2 { - let mut i = len - 2; - loop { - body_invariant!(i >= 0); - insert_head(&mut v[i..]); - if i == 0 { - break; - } else { - assert!(i > 0); - i -= 1; - } - } - } + sort_small_array(v); return; } - - let mut buf = Buf{v: Vec::with_capacity(len / 2)}; - let mut runs = Runs{v: vec![]}; + + let mut buf = Buf::new(len / 2); + let mut runs = Runs::new(v.len()); + + assert!(v.len() >= 1); + assert!(runs.len() == 0); + assert!(runs.get_runs_sum_cur() == 0); + assert!(runs.get_runs_sum_max() == v.len()); + let mut end = len; - assert!(end == v.len()); - while end > 0 { + body_invariant!(buf.len() == 0); body_invariant!(end >= 1 && end <= v.len()); - let mut start = end - 1; - - if start > 0 { - start -= 1; - assert!(start < end - 1); - assert!(end <= v.len()); - assert!(start < v.len() - 1); - if v[start + 1] < v[start] { - while start > 0 { - body_invariant!(start >= 1 && start < v.len() - 1); - if !(v[start] < v[start - 1]) { - break; - } - start -= 1; - } - v[start..end].reverse(); - } else { - while start > 0 { - body_invariant!(start >= 1 && start < v.len() - 1); - if v[start] < v[start - 1] { - break; - } - start -= 1; - } - } - } + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() < runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + + assert!(end >= 1 && end <= v.len()); + end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); + assert!(runs.get_runs_sum_cur() == v.len() - end); + assert!(runs.get_runs_sum_max() == v.len()); - while start > 0 && end - start < MIN_RUN { - body_invariant!(start >= 1); - start -= 1; - insert_head(&mut v[start..end]); - } - - runs.push(Run { start, len: end - start, array_size: len }); - end = start; loop { + body_invariant!(buf.len() == 0); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + let r = collapse(&runs); assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); + if r == runs.len() { assert!(r == runs.len()); break; } else if runs.len() > 1 && r < runs.len() - 1 { assert!(runs.len() > 1 && r < runs.len() - 1); - let left = runs.index(r + 1); - let right = runs.index(r); + let left_start = runs.index_start(r + 1); + let left_len = runs.index_len(r + 1); + let right_start = runs.index_start(r); + let right_len = runs.index_len(r); + + assert!(left_start < right_start); + assert!(right_start + right_len <= runs.get_runs_sum_max()); + assert!(right_start + right_len <= v.len()); + + assert!(left_start + left_len == right_start); + merge( - &mut v[left.start..right.run_last_index_exclusive()], - left.len, + &mut v[left_start..right_start + right_len], + left_len, &mut buf, ); - //runs.assign(r, Run { start: left.start, len: left.len + right.len, array_size: len }); - runs.remove(r + 1); + + buf = Buf::new(len / 2); + assert!(buf.len() == 0); + + runs.merge(r); } + } + } - //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } \ No newline at end of file From fd0685656894b3e58051052e78c2a0e4294c20f2 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Wed, 4 May 2022 22:09:56 +0200 Subject: [PATCH 10/14] verify sortedness property partially --- .../verifying_tim_sort/src/fix_panic_code.rs | 538 ++++++++++++++++++ .../verifying_tim_sort/src/main.rs | 305 +++++++--- 2 files changed, 775 insertions(+), 68 deletions(-) create mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs new file mode 100644 index 00000000000..5215e0a29c7 --- /dev/null +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs @@ -0,0 +1,538 @@ +use prusti_contracts::*; + +use std::vec::Vec; + +pub fn main() { + let mut x : [i32; 50] = [5; 50]; + //merge_sort(&mut x); +} + +fn insert_head(v: &mut [i32]) { + if v.len() >= 2 && (v[1] < v[0]) { + let tmp = v[0]; + v[0] = v[1]; + let mut i = 2; + while i < v.len() { + body_invariant!(i >= 2 && i < v.len()); + if !(i < v.len() && v[i] < tmp) { + break; + } + v[i - 1] = v[i]; + i += 1; + } + v[i - 1] = tmp; + } +} + +struct Buf{ + v: Vec, +} + +impl Buf { + #[trusted] + #[ensures(result.len() == 0)] + pub fn new(len: usize) -> Buf { + Buf {v: Vec::with_capacity(len / 2)} + } + + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.v.len() + } + + #[trusted] + #[pure] + #[requires(0 <= index && index < self.len())] + pub fn index(&self, index: usize) -> i32 { + self.v[index] + } + + #[trusted] + #[ensures(self.len() == old(self).len() + 1)] + pub fn push(&mut self, value: i32) { + self.v.push(value); + } +} + +#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +#[ensures(v.len() == old(v.len()))] +fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { + let len = v.len(); + if mid <= len - mid { + let mut i = 0; + while i < mid { + body_invariant!(v.len() == len); + + body_invariant!(i < mid); + body_invariant!(buf.len() == i); + body_invariant!(buf.len() < mid); + buf.push(v[i]); + i += 1; + assert!(buf.len() <= mid); + } + assert!(buf.len() == mid); + + let mut left = 0; + let mut right = mid; + let mut out = 0; + + while left < mid && right < len { + body_invariant!(v.len() == len); + + body_invariant!(right < len); + body_invariant!(len == v.len()); + body_invariant!(right < v.len()); + + body_invariant!(left < mid); + body_invariant!(buf.len() == mid); + body_invariant!(left < buf.len()); + + body_invariant!(left + right - mid < v.len()); + body_invariant!(out <= left + right - mid); + body_invariant!(out < v.len()); + + if v[right] < buf.index(left) { + v[out] = v[right]; + right += 1; + } else { + v[out] = buf.index(left); + left += 1; + } + out += 1; + } + + assert!(v.len() == len); + + while left < mid { + body_invariant!(v.len() == len); + + body_invariant!(left < mid); + body_invariant!(v.len() - out >= mid - left); + body_invariant!(out < v.len()); + + body_invariant!(left < mid); + body_invariant!(buf.len() == mid); + body_invariant!(left < buf.len()); + + v[out] = buf.index(left); + out += 1; + left += 1; + } + + assert!(v.len() == len); + } else { + let mut i = mid; + while i < len { + body_invariant!(v.len() == len); + + body_invariant!(i >= mid && i < len); + body_invariant!(buf.len() == i - mid); + body_invariant!(buf.len() < len - mid); + buf.push(v[i]); + i += 1; + assert!(buf.len() <= len - mid); + } + assert!(buf.len() == len - mid); + + let mut left = mid; + let mut right = len - mid; + let mut out = len; + + while left > 0 && right > 0 { + body_invariant!(v.len() == len); + + body_invariant!(left >= 1); + body_invariant!(mid <= v.len()); + body_invariant!(left <= mid); + body_invariant!(left <= v.len()); + + body_invariant!(right >= 1); + body_invariant!(right <= len - mid); + body_invariant!(right <= buf.len()); + + body_invariant!(out <= v.len()); + body_invariant!(left + right > 0); + body_invariant!(out == left + right); + body_invariant!(out > 0); + + out -= 1; + if buf.index(right - 1) < v[left - 1] { + left -= 1; + v[out] = v[left]; + } else { + right -= 1; + v[out] = buf.index(right); + } + } + + assert!(v.len() == len); + + while right > 0 { + body_invariant!(v.len() == len); + + body_invariant!(right >= 1); + + body_invariant!(right <= len - mid); + body_invariant!(right <= buf.len()); + + body_invariant!(right <= len); + body_invariant!(right <= v.len()); + + right -= 1; + v[right] = buf.index(right); + } + + assert!(v.len() == len); + } +} + +struct Runs{ + start: Vec, + len: Vec, + runs_sum_cur: usize, + runs_sum_max: usize, +} + +impl Runs { + #[trusted] + #[requires(runs_sum_max <= usize::MAX)] + #[ensures(result.len() == 0)] + #[ensures(result.get_runs_sum_cur() == 0)] + #[ensures(result.get_runs_sum_max() == runs_sum_max)] + pub fn new(runs_sum_max: usize) -> Runs { + Runs {start: vec![], len: vec![], runs_sum_cur: 0, runs_sum_max} + } + + #[trusted] + #[pure] + #[ensures(result >= 0)] + pub fn len(&self) -> usize { + self.len.len() + } + + #[pure] + pub fn get_runs_sum_cur(&self) -> usize { + self.runs_sum_cur + } + + #[pure] + pub fn get_runs_sum_max(&self) -> usize { + self.runs_sum_max + } + + #[requires(self.get_runs_sum_cur() + value <= self.get_runs_sum_max())] + #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()) + value)] + #[ensures(self.get_runs_sum_cur() <= self.get_runs_sum_max())] + pub fn add_runs_sum_cur(&mut self, value: usize) { + self.runs_sum_cur += value; + } + + #[pure] + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn index_start(&self, index: usize) -> usize { + self.start[index] + } + + #[pure] + #[trusted] + #[requires(0 <= index && index < self.len())] + pub fn index_len(&self, index: usize) -> usize { + self.len[index] + } + + #[trusted] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] + #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] + #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + + #[ensures(self.len() == old(self.len()) + 1)] + #[ensures(self.index_len(self.len() - 1) == new_len)] + #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] + #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] + #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i + 1) + self.index_len(i + 1) == self.index_start(i)))))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + pub fn push(&mut self, new_start: usize, new_len: usize) { + self.add_runs_sum_cur(new_len); + self.start.push(new_start); + self.len.push(new_len); + } + + /* + #[trusted] + #[requires(0 <= index && index < self.len() - 1)] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[ensures(self.len() == old(self.len()) - 1)] + #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] + #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] + #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] + #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + pub fn merge(&mut self, index: usize) { + let new_start = self.index_start(index + 1); + let new_len = self.index_len(index) + self.index_len(index + 1); + self.start[index] = new_start; + self.len[index] = new_len; + self.start.remove(index + 1); + self.len.remove(index + 1); + } + */ +} +/* +#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] +fn collapse(runs: &Runs) -> usize { + let n = runs.len(); + if n >= 2 { + assert!(n >= 2 && n <= runs.len()); + if runs.index_start(n - 1) == 0 { + return n - 2; + } else if runs.index_len(n - 2) <= runs.index_len(n - 1) { + return n - 2; + } else if n >= 3 { + assert!(n >= 3 && n <= runs.len()); + assert!(runs.index_len(n - 2) <= usize::MAX); + if runs.index_len(n - 3) <= runs.index_len(n - 2) + runs.index_len(n - 1) { + if runs.index_len(n - 3) < runs.index_len(n - 1) { + return n - 3; + } else { + return n - 2; + } + } else if n >= 4 { + assert!(n >= 4 && n <= runs.len()); + if runs.index_len(n - 4) <= runs.index_len(n - 3) + runs.index_len(n - 2) { + if runs.index_len(n - 3) < runs.index_len(n - 1) { + return n - 3; + } else { + return n - 2; + } + } + } + } + } + return n; +} + +#[requires(v.len() <= usize::MAX)] +fn sort_small_array(v: &mut [i32]) { + let len = v.len(); + if len >= 2 { + let mut i = len - 2; + loop { + body_invariant!(i >= 0); + insert_head(&mut v[i..]); + if i == 0 { + break; + } else { + i -= 1; + } + } + } +} +*/ +#[requires(v.len() <= usize::MAX)] +#[requires(runs.get_runs_sum_max() == v.len())] +#[requires(end >= 1 && end <= v.len())] +#[requires(runs.get_runs_sum_cur() == v.len() - end)] +#[requires(MIN_RUN < 100)] +#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] +#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))]#[ensures(runs.len() == old(runs.len()) + 1)] +#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] +#[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] +#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(result >= 0 && result < v.len())] +#[ensures(v.len() == old(v.len()))] +#[ensures(runs.get_runs_sum_cur() == v.len() - result)] +#[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] +#[ensures(runs.get_runs_sum_max() == v.len())] +fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { + let mut start = end - 1; + assert!(start < end); + + if start > 0 { + assert!(runs.get_runs_sum_cur() == v.len() - end); + start -= 1; + assert!(start < end - 1); + assert!(end <= v.len()); + assert!(start < v.len() - 1); + if v[start + 1] < v[start] { + while start > 0 { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + if !(v[start] < v[start - 1]) { + break; + } + start -= 1; + } + assert!(runs.get_runs_sum_cur() == v.len() - end); + v[start..end].reverse(); + assert!(runs.get_runs_sum_cur() == v.len() - end); + } else { + while start > 0 { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + if v[start] < v[start - 1] { + break; + } + start -= 1; + } + } + } + + assert!(runs.get_runs_sum_cur() == v.len() - end); + + while start > 0 && end - start < MIN_RUN { + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(start >= 1 && end <= v.len() && start < end); + start -= 1; + insert_head(&mut v[start..end]); + } + + assert!(runs.get_runs_sum_cur() == v.len() - end); + + assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); + assert!(start < end); + //assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); + assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); + + let new_len = end - start; + assert!(start + new_len <= v.len()); + assert!(start + new_len <= runs.get_runs_sum_max()); + + assert!(start + new_len == end); + assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); + + runs.push(start, new_len); + + assert!(runs.get_runs_sum_cur() == v.len() - start); + + end = start; + + //assert!(v.len() == runs.get_runs_sum_max()); + assert!(runs.get_runs_sum_cur() == v.len() - end); + + return end; +} + +#[requires(v.len() <= usize::MAX)] +fn merge_sort(v: &mut [i32]) { + const MAX_INSERTION: usize = 20; + const MIN_RUN: usize = 10; + let MIN_RUN_COPY = MIN_RUN; + + if v.len() == 0 { + return; + } + + let len = v.len(); + if len <= MAX_INSERTION { + sort_small_array(v); + return; + } + + let mut buf = Buf::new(len / 2); + let mut runs = Runs::new(v.len()); + + assert!(v.len() >= 1); + assert!(runs.len() == 0); + assert!(runs.get_runs_sum_cur() == 0); + assert!(runs.get_runs_sum_max() == v.len()); + + let mut end = len; + while end > 0 { + body_invariant!(buf.len() == 0); + body_invariant!(end >= 1 && end <= v.len()); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() < runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + + assert!(end >= 1 && end <= v.len()); + end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); + assert!(runs.get_runs_sum_cur() == v.len() - end); + assert!(runs.get_runs_sum_max() == v.len()); + + + loop { + body_invariant!(buf.len() == 0); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + + let r = collapse(&runs); + assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); + + if r == runs.len() { + assert!(r == runs.len()); + break; + } else if runs.len() > 1 && r < runs.len() - 1 { + assert!(runs.len() > 1 && r < runs.len() - 1); + let left_start = runs.index_start(r + 1); + let left_len = runs.index_len(r + 1); + let right_start = runs.index_start(r); + let right_len = runs.index_len(r); + + assert!(left_start < right_start); + assert!(right_start + right_len <= runs.get_runs_sum_max()); + assert!(right_start + right_len <= v.len()); + + assert!(left_start + left_len == right_start); + + merge( + &mut v[left_start..right_start + right_len], + left_len, + &mut buf, + ); + + buf = Buf::new(len / 2); + assert!(buf.len() == 0); + + runs.merge(r); + } + + } + + } + //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); +} \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 74c55eb38ce..3f6723d9a0c 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,26 +1,54 @@ +extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; pub fn main() { let mut x : [i32; 50] = [5; 50]; - merge_sort(&mut x); + //merge_sort(&mut x); + //println!("{:?}", x); } -fn insert_head(v: &mut [i32]) { - if v.len() >= 2 && (v[1] < v[0]) { - let tmp = v[0]; - v[0] = v[1]; - let mut i = 2; - while i < v.len() { - body_invariant!(i >= 2 && i < v.len()); - if !(i < v.len() && v[i] < tmp) { +#[requires(v.len() > 1)] +#[requires(start_index < end_index - 1 && end_index <= v.len())] +#[requires(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y < v.len()) ==> v[x] <= v[y]))] +#[ensures(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < v.len()) ==> v[x] <= v[y]))] +#[ensures(v.len() == old(v.len()))] +fn insert_head(v: &mut [i32], start_index: usize, end_index: usize) { + let mut i = start_index + 1; + while i < end_index { + body_invariant!(i < end_index); + body_invariant!(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; + } + if v.len() >= 2 && (v[start_index + 1] < v[start_index]) { + let tmp = v[start_index]; + v[start_index] = v[start_index + 1]; + let mut i = start_index + 2; + assert!(v[start_index] <= v[start_index + 1]); + assert!(tmp >= v[start_index]); + assert!(tmp >= v[start_index + 1]); + while i < end_index { + body_invariant!(i >= start_index + 2 && i < end_index); + body_invariant!(tmp >= v[i - 1]); + body_invariant!(v[i - 2] == v[i - 1]); + body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + if v[i] >= tmp { + assert!(tmp >= v[i - 2]); break; } v[i - 1] = v[i]; + assert!(tmp > v[i]); i += 1; } v[i - 1] = tmp; + assert!(i == end_index || (tmp <= v[i] && tmp >= v[i - 2])); + } + let mut i = start_index; + while i < end_index { + body_invariant!(i < end_index); + body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; } } @@ -56,11 +84,27 @@ impl Buf { } } -#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] +// #[trusted] +// #[requires(start < end && end <= v.len())] +// #[requires(start < mid && mid < end)] +// #[requires(forall(|i: usize, j: usize| start <= i && i <= j && j < mid ==> v[i] <= v[j]))] +// #[requires(forall(|i: usize, j: usize| mid <= i && i <= j && j < end ==> v[i] <= v[j]))] +// #[ensures(start < end && end <= v.len())] +// #[ensures(start < mid && mid < end)] +// #[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < mid ==> v[i] <= v[j]))] +// #[ensures(forall(|i: usize, j: usize| mid <= i && i <= j && j < end ==> v[i] <= v[j]))] +// fn take_mut_slice_for_merging(v: &mut [i32], start: usize, mid: usize, end: usize) -> &mut [i32] { &mut v[start..end] } + + +#[requires(0 < mid && mid < v.len())] +#[requires(buf.len() == 0)] +#[requires(forall(|i: usize, j: usize| 0 <= i && i <= j && j < mid ==> v[i] <= v[j]))] +#[requires(forall(|i: usize, j: usize| mid <= i && i <= j && j < v.len() ==> v[i] <= v[j]))] #[ensures(v.len() == old(v.len()))] +#[ensures(forall(|i: usize, j: usize| 0 <= i && i <= j && j < v.len() ==> v[i] <= v[j]))] fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let len = v.len(); - if mid <= len - mid { + //if mid <= len - mid { let mut i = 0; while i < mid { body_invariant!(v.len() == len); @@ -68,6 +112,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(i < mid); body_invariant!(buf.len() == i); body_invariant!(buf.len() < mid); + buf.push(v[i]); i += 1; assert!(buf.len() <= mid); @@ -93,6 +138,9 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(out <= left + right - mid); body_invariant!(out < v.len()); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); + if v[right] < buf.index(left) { v[out] = v[right]; right += 1; @@ -103,6 +151,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { out += 1; } + assert!(out == mid); assert!(v.len() == len); while left < mid { @@ -116,13 +165,24 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(buf.len() == mid); body_invariant!(left < buf.len()); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); // we can remove this + v[out] = buf.index(left); out += 1; left += 1; } + assert!(out == right); + + let mut u = 0; + while u < len { + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); + u += 1; + } + assert!(v.len() == len); - } else { + /*} else { let mut i = mid; while i < len { body_invariant!(v.len() == len); @@ -157,6 +217,9 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(out == left + right); body_invariant!(out > 0); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); + out -= 1; if buf.index(right - 1) < v[left - 1] { left -= 1; @@ -167,6 +230,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } } + assert!(out == mid); assert!(v.len() == len); while right > 0 { @@ -180,12 +244,23 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(right <= len); body_invariant!(right <= v.len()); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); + right -= 1; v[right] = buf.index(right); } + assert!(out == left); + + let mut u = 0; + while u < len { + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); + u += 1; + } + assert!(v.len() == len); - } + }*/ } struct Runs{ @@ -243,51 +318,80 @@ impl Runs { self.len[index] } + #[trusted] + //#[requires(new_len > 0)] + #[requires(self.get_runs_sum_max() == v.len())] + #[requires(new_len + new_start <= self.get_runs_sum_max())] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j)))))] #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[requires(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + //#[requires(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + #[requires(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < new_start + new_len) ==> v[i] <= v[j]))] + #[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + //#[requires(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < new_start + new_len) ==> v[i] <= v[j]))] + + #[ensures(self.get_runs_sum_max() == v.len())] #[ensures(self.len() == old(self.len()) + 1)] #[ensures(self.index_len(self.len() - 1) == new_len)] #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] - pub fn push(&mut self, new_start: usize, new_len: usize) { + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] + //#[ensures(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + #[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + //#[ensures(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < v.len()) ==> v[i] <= v[j]))] + pub fn push(&mut self, new_start: usize, new_len: usize, v: &[i32]) { self.add_runs_sum_cur(new_len); self.start.push(new_start); self.len.push(new_len); } - + #[trusted] + #[requires(self.get_runs_sum_max() == v.len())] #[requires(0 <= index && index < self.len() - 1)] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[requires(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + //#[requires(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + //#[requires(forall(|x: usize, y: usize| (self.index_start(index + 1) <= x && x <= y && y < self.index_start(index) + self.index_len(index)) ==> v[x] <= v[y]))] + #[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + + #[ensures(self.get_runs_sum_max() == v.len())] #[ensures(self.len() == old(self.len()) - 1)] #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] + #[ensures(self.index_start(index) == old(self.index_start(index + 1)))] #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] - pub fn merge(&mut self, index: usize) { + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + //#[ensures(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + //#[ensures(forall(|x: usize, y: usize| (self.index_start(index) <= x && x <= y && y < self.index_start(index) + self.index_len(index)) ==> v[x] <= v[y]))] + #[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + pub fn merge(&mut self, index: usize, v: &[i32]) { let new_start = self.index_start(index + 1); let new_len = self.index_len(index) + self.index_len(index + 1); self.start[index] = new_start; @@ -297,7 +401,6 @@ impl Runs { } } -#[trusted] #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] fn collapse(runs: &Runs) -> usize { @@ -332,25 +435,28 @@ fn collapse(runs: &Runs) -> usize { return n; } -#[trusted] -#[requires(2 * v.len() <= usize::MAX)] +#[requires(v.len() >= 1 && v.len() <= usize::MAX)] +#[ensures(forall(|x: usize, y: usize| v.len() < 2 || ((0 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])))] fn sort_small_array(v: &mut [i32]) { - let len = v.len(); - if len >= 2 { - let mut i = len - 2; + if v.len() < 2 { + return; + } else { + let mut len = v.len(); + assert!(v.len() >= 2); + let mut i = v.len() - 2; loop { - body_invariant!(i >= 0); - insert_head(&mut v[i..]); + body_invariant!(i >= 0 && i < v.len() - 1); + body_invariant!(forall(|x: usize, y: usize| (i + 1 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])); + insert_head(v, i, len); if i == 0 { break; } else { i -= 1; } - } + } } } -#[trusted] #[requires(v.len() <= usize::MAX)] #[requires(runs.get_runs_sum_max() == v.len())] #[requires(end >= 1 && end <= v.len())] @@ -359,84 +465,133 @@ fn sort_small_array(v: &mut [i32]) { #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[requires(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j))))] #[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[requires(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))] +//#[requires(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0))] + +#[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y]))] +//#[requires(forall(|i: usize, j: usize| (end <= i && i <= j && j < v.len()) ==> v[i] <= v[j]))] + #[ensures(runs.len() == old(runs.len()) + 1)] #[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[ensures(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j))))] #[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))] #[ensures(result >= 0 && result < v.len())] +#[ensures(v.len() == old(v.len()))] #[ensures(runs.get_runs_sum_cur() == v.len() - result)] #[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] -#[ensures(v.len() == old(v.len()))] #[ensures(runs.get_runs_sum_max() == v.len())] +//#[ensures(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0))] + +#[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y]))] +//#[ensures(forall(|i: usize, j: usize| (result <= i && i <= j && j < v.len()) ==> v[i] <= v[j]))] fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { let mut start = end - 1; assert!(start < end); + let mut u = 0; + while u < runs.len() { + body_invariant!(u < runs.len()); + body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < 0 && runs.index_len(i) <= x && x <= y && y <= runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + u += 1; + } + if start > 0 { start -= 1; assert!(start < end - 1); assert!(end <= v.len()); assert!(start < v.len() - 1); if v[start + 1] < v[start] { + assert!(v[start] >= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] >= v[y])); if !(v[start] < v[start - 1]) { break; } + assert!(v[start - 1] >= v[start]); start -= 1; + assert!(v[start] >= v[start + 1]); + } + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); + i += 1; } v[start..end].reverse(); + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; + } } else { + assert!(v[start] <= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); if v[start] < v[start - 1] { break; } + assert!(v[start - 1] <= v[start]); start -= 1; + assert!(v[start] <= v[start + 1]); + } + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; } } } + assert!(runs.get_runs_sum_cur() == v.len() - end); while start > 0 && end - start < MIN_RUN { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && end <= v.len() && start < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); start -= 1; - insert_head(&mut v[start..end]); + insert_head(v, start, end); } - + assert!(runs.get_runs_sum_cur() == v.len() - end); assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); - assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); assert!(start < end); - assert!(runs.len() == 0 || start < runs.index_start(runs.len() - 1)); + assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); let new_len = end - start; + assert!(new_len > 0); assert!(start + new_len <= v.len()); assert!(start + new_len <= runs.get_runs_sum_max()); assert!(start + new_len == end); - assert!(start + new_len == runs.index_start(runs.len() - 1)); + assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); + + runs.push(start, new_len, &v); + + assert!(runs.get_runs_sum_cur() == v.len() - start); - runs.push(start, new_len); end = start; assert!(runs.get_runs_sum_cur() == v.len() - end); - + return end; } + #[requires(v.len() <= usize::MAX)] +//#[ensures(forall(|x: usize, y: usize| ((0 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])))] fn merge_sort(v: &mut [i32]) { const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; @@ -447,10 +602,11 @@ fn merge_sort(v: &mut [i32]) { } let len = v.len(); - if len <= MAX_INSERTION { - sort_small_array(v); - return; - } + //if len <= MAX_INSERTION { + // sort_small_array(v); + // return; + //} + let mut buf = Buf::new(len / 2); let mut runs = Runs::new(v.len()); @@ -470,16 +626,18 @@ fn merge_sort(v: &mut [i32]) { body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); + //body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); + + body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); assert!(end >= 1 && end <= v.len()); end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); assert!(runs.get_runs_sum_cur() == v.len() - end); assert!(runs.get_runs_sum_max() == v.len()); - loop { body_invariant!(buf.len() == 0); body_invariant!(runs.get_runs_sum_max() == v.len()); @@ -488,10 +646,13 @@ fn merge_sort(v: &mut [i32]) { body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); + //body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); + body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + let r = collapse(&runs); assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); @@ -506,25 +667,33 @@ fn merge_sort(v: &mut [i32]) { let right_len = runs.index_len(r); assert!(left_start < right_start); - assert!(right_start + right_len <= runs.get_runs_sum_max()); - assert!(right_start + right_len <= v.len()); + // assert!(right_start + right_len <= runs.get_runs_sum_max()); + // assert!(right_start + right_len <= v.len()); assert!(left_start + left_len == right_start); + + // assert!(left_start + left_len < right_start + right_len); - merge( - &mut v[left_start..right_start + right_len], - left_len, - &mut buf, - ); - - buf = Buf::new(len / 2); - assert!(buf.len() == 0); + // requires + // 1) v[left.start..left.start+left.len] is sorted + // 2) v[right.start..right.start+right.len] is sorted + + // merge( + // take_mut_slice_for_merging(v, left_start, left_start + left_len, right_start + right_len), + // left_start + left_len, + // &mut buf, + // ); + + // ensures + // 1) v[left.start..right.start+right.len] is sorted + + // buf = Buf::new(len / 2); + // assert!(buf.len() == 0); - runs.merge(r); + // runs.merge(r, &v); } - } - } + //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } \ No newline at end of file From 64a166cc8c47e452e1ae7adee52f57c4b293086b Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Sat, 4 Jun 2022 17:38:29 +0200 Subject: [PATCH 11/14] verify extra parts --- .../verifying_tim_sort/src/fix_panic_code.rs | 538 ------------------ .../verifying_tim_sort/src/main.rs | 301 +++------- 2 files changed, 70 insertions(+), 769 deletions(-) delete mode 100644 prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs deleted file mode 100644 index 5215e0a29c7..00000000000 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/fix_panic_code.rs +++ /dev/null @@ -1,538 +0,0 @@ -use prusti_contracts::*; - -use std::vec::Vec; - -pub fn main() { - let mut x : [i32; 50] = [5; 50]; - //merge_sort(&mut x); -} - -fn insert_head(v: &mut [i32]) { - if v.len() >= 2 && (v[1] < v[0]) { - let tmp = v[0]; - v[0] = v[1]; - let mut i = 2; - while i < v.len() { - body_invariant!(i >= 2 && i < v.len()); - if !(i < v.len() && v[i] < tmp) { - break; - } - v[i - 1] = v[i]; - i += 1; - } - v[i - 1] = tmp; - } -} - -struct Buf{ - v: Vec, -} - -impl Buf { - #[trusted] - #[ensures(result.len() == 0)] - pub fn new(len: usize) -> Buf { - Buf {v: Vec::with_capacity(len / 2)} - } - - #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn len(&self) -> usize { - self.v.len() - } - - #[trusted] - #[pure] - #[requires(0 <= index && index < self.len())] - pub fn index(&self, index: usize) -> i32 { - self.v[index] - } - - #[trusted] - #[ensures(self.len() == old(self).len() + 1)] - pub fn push(&mut self, value: i32) { - self.v.push(value); - } -} - -#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] -#[ensures(v.len() == old(v.len()))] -fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { - let len = v.len(); - if mid <= len - mid { - let mut i = 0; - while i < mid { - body_invariant!(v.len() == len); - - body_invariant!(i < mid); - body_invariant!(buf.len() == i); - body_invariant!(buf.len() < mid); - buf.push(v[i]); - i += 1; - assert!(buf.len() <= mid); - } - assert!(buf.len() == mid); - - let mut left = 0; - let mut right = mid; - let mut out = 0; - - while left < mid && right < len { - body_invariant!(v.len() == len); - - body_invariant!(right < len); - body_invariant!(len == v.len()); - body_invariant!(right < v.len()); - - body_invariant!(left < mid); - body_invariant!(buf.len() == mid); - body_invariant!(left < buf.len()); - - body_invariant!(left + right - mid < v.len()); - body_invariant!(out <= left + right - mid); - body_invariant!(out < v.len()); - - if v[right] < buf.index(left) { - v[out] = v[right]; - right += 1; - } else { - v[out] = buf.index(left); - left += 1; - } - out += 1; - } - - assert!(v.len() == len); - - while left < mid { - body_invariant!(v.len() == len); - - body_invariant!(left < mid); - body_invariant!(v.len() - out >= mid - left); - body_invariant!(out < v.len()); - - body_invariant!(left < mid); - body_invariant!(buf.len() == mid); - body_invariant!(left < buf.len()); - - v[out] = buf.index(left); - out += 1; - left += 1; - } - - assert!(v.len() == len); - } else { - let mut i = mid; - while i < len { - body_invariant!(v.len() == len); - - body_invariant!(i >= mid && i < len); - body_invariant!(buf.len() == i - mid); - body_invariant!(buf.len() < len - mid); - buf.push(v[i]); - i += 1; - assert!(buf.len() <= len - mid); - } - assert!(buf.len() == len - mid); - - let mut left = mid; - let mut right = len - mid; - let mut out = len; - - while left > 0 && right > 0 { - body_invariant!(v.len() == len); - - body_invariant!(left >= 1); - body_invariant!(mid <= v.len()); - body_invariant!(left <= mid); - body_invariant!(left <= v.len()); - - body_invariant!(right >= 1); - body_invariant!(right <= len - mid); - body_invariant!(right <= buf.len()); - - body_invariant!(out <= v.len()); - body_invariant!(left + right > 0); - body_invariant!(out == left + right); - body_invariant!(out > 0); - - out -= 1; - if buf.index(right - 1) < v[left - 1] { - left -= 1; - v[out] = v[left]; - } else { - right -= 1; - v[out] = buf.index(right); - } - } - - assert!(v.len() == len); - - while right > 0 { - body_invariant!(v.len() == len); - - body_invariant!(right >= 1); - - body_invariant!(right <= len - mid); - body_invariant!(right <= buf.len()); - - body_invariant!(right <= len); - body_invariant!(right <= v.len()); - - right -= 1; - v[right] = buf.index(right); - } - - assert!(v.len() == len); - } -} - -struct Runs{ - start: Vec, - len: Vec, - runs_sum_cur: usize, - runs_sum_max: usize, -} - -impl Runs { - #[trusted] - #[requires(runs_sum_max <= usize::MAX)] - #[ensures(result.len() == 0)] - #[ensures(result.get_runs_sum_cur() == 0)] - #[ensures(result.get_runs_sum_max() == runs_sum_max)] - pub fn new(runs_sum_max: usize) -> Runs { - Runs {start: vec![], len: vec![], runs_sum_cur: 0, runs_sum_max} - } - - #[trusted] - #[pure] - #[ensures(result >= 0)] - pub fn len(&self) -> usize { - self.len.len() - } - - #[pure] - pub fn get_runs_sum_cur(&self) -> usize { - self.runs_sum_cur - } - - #[pure] - pub fn get_runs_sum_max(&self) -> usize { - self.runs_sum_max - } - - #[requires(self.get_runs_sum_cur() + value <= self.get_runs_sum_max())] - #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()) + value)] - #[ensures(self.get_runs_sum_cur() <= self.get_runs_sum_max())] - pub fn add_runs_sum_cur(&mut self, value: usize) { - self.runs_sum_cur += value; - } - - #[pure] - #[trusted] - #[requires(0 <= index && index < self.len())] - pub fn index_start(&self, index: usize) -> usize { - self.start[index] - } - - #[pure] - #[trusted] - #[requires(0 <= index && index < self.len())] - pub fn index_len(&self, index: usize) -> usize { - self.len[index] - } - - #[trusted] - #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] - #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] - #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] - #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] - #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] - #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - - #[ensures(self.len() == old(self.len()) + 1)] - #[ensures(self.index_len(self.len() - 1) == new_len)] - #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] - #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] - #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] - #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] - #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i + 1) + self.index_len(i + 1) == self.index_start(i)))))] - #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - pub fn push(&mut self, new_start: usize, new_len: usize) { - self.add_runs_sum_cur(new_len); - self.start.push(new_start); - self.len.push(new_len); - } - - /* - #[trusted] - #[requires(0 <= index && index < self.len() - 1)] - #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] - #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] - #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] - #[ensures(self.len() == old(self.len()) - 1)] - #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] - #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] - #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] - #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] - #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] - #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] - pub fn merge(&mut self, index: usize) { - let new_start = self.index_start(index + 1); - let new_len = self.index_len(index) + self.index_len(index + 1); - self.start[index] = new_start; - self.len[index] = new_len; - self.start.remove(index + 1); - self.len.remove(index + 1); - } - */ -} -/* -#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] -#[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] -fn collapse(runs: &Runs) -> usize { - let n = runs.len(); - if n >= 2 { - assert!(n >= 2 && n <= runs.len()); - if runs.index_start(n - 1) == 0 { - return n - 2; - } else if runs.index_len(n - 2) <= runs.index_len(n - 1) { - return n - 2; - } else if n >= 3 { - assert!(n >= 3 && n <= runs.len()); - assert!(runs.index_len(n - 2) <= usize::MAX); - if runs.index_len(n - 3) <= runs.index_len(n - 2) + runs.index_len(n - 1) { - if runs.index_len(n - 3) < runs.index_len(n - 1) { - return n - 3; - } else { - return n - 2; - } - } else if n >= 4 { - assert!(n >= 4 && n <= runs.len()); - if runs.index_len(n - 4) <= runs.index_len(n - 3) + runs.index_len(n - 2) { - if runs.index_len(n - 3) < runs.index_len(n - 1) { - return n - 3; - } else { - return n - 2; - } - } - } - } - } - return n; -} - -#[requires(v.len() <= usize::MAX)] -fn sort_small_array(v: &mut [i32]) { - let len = v.len(); - if len >= 2 { - let mut i = len - 2; - loop { - body_invariant!(i >= 0); - insert_head(&mut v[i..]); - if i == 0 { - break; - } else { - i -= 1; - } - } - } -} -*/ -#[requires(v.len() <= usize::MAX)] -#[requires(runs.get_runs_sum_max() == v.len())] -#[requires(end >= 1 && end <= v.len())] -#[requires(runs.get_runs_sum_cur() == v.len() - end)] -#[requires(MIN_RUN < 100)] -#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] -#[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] -#[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] -#[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))]#[ensures(runs.len() == old(runs.len()) + 1)] -#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] -#[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] -#[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] -#[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] -#[ensures(result >= 0 && result < v.len())] -#[ensures(v.len() == old(v.len()))] -#[ensures(runs.get_runs_sum_cur() == v.len() - result)] -#[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] -#[ensures(runs.get_runs_sum_max() == v.len())] -fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { - let mut start = end - 1; - assert!(start < end); - - if start > 0 { - assert!(runs.get_runs_sum_cur() == v.len() - end); - start -= 1; - assert!(start < end - 1); - assert!(end <= v.len()); - assert!(start < v.len() - 1); - if v[start + 1] < v[start] { - while start > 0 { - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - body_invariant!(start >= 1 && start < v.len() - 1 && start < end); - if !(v[start] < v[start - 1]) { - break; - } - start -= 1; - } - assert!(runs.get_runs_sum_cur() == v.len() - end); - v[start..end].reverse(); - assert!(runs.get_runs_sum_cur() == v.len() - end); - } else { - while start > 0 { - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - body_invariant!(start >= 1 && start < v.len() - 1 && start < end); - if v[start] < v[start - 1] { - break; - } - start -= 1; - } - } - } - - assert!(runs.get_runs_sum_cur() == v.len() - end); - - while start > 0 && end - start < MIN_RUN { - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - body_invariant!(start >= 1 && end <= v.len() && start < end); - start -= 1; - insert_head(&mut v[start..end]); - } - - assert!(runs.get_runs_sum_cur() == v.len() - end); - - assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); - assert!(start < end); - //assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); - assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); - - let new_len = end - start; - assert!(start + new_len <= v.len()); - assert!(start + new_len <= runs.get_runs_sum_max()); - - assert!(start + new_len == end); - assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); - - runs.push(start, new_len); - - assert!(runs.get_runs_sum_cur() == v.len() - start); - - end = start; - - //assert!(v.len() == runs.get_runs_sum_max()); - assert!(runs.get_runs_sum_cur() == v.len() - end); - - return end; -} - -#[requires(v.len() <= usize::MAX)] -fn merge_sort(v: &mut [i32]) { - const MAX_INSERTION: usize = 20; - const MIN_RUN: usize = 10; - let MIN_RUN_COPY = MIN_RUN; - - if v.len() == 0 { - return; - } - - let len = v.len(); - if len <= MAX_INSERTION { - sort_small_array(v); - return; - } - - let mut buf = Buf::new(len / 2); - let mut runs = Runs::new(v.len()); - - assert!(v.len() >= 1); - assert!(runs.len() == 0); - assert!(runs.get_runs_sum_cur() == 0); - assert!(runs.get_runs_sum_max() == v.len()); - - let mut end = len; - while end > 0 { - body_invariant!(buf.len() == 0); - body_invariant!(end >= 1 && end <= v.len()); - body_invariant!(runs.get_runs_sum_max() == v.len()); - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - body_invariant!(runs.get_runs_sum_cur() < runs.get_runs_sum_max()); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); - body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); - body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); - - assert!(end >= 1 && end <= v.len()); - end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); - assert!(runs.get_runs_sum_cur() == v.len() - end); - assert!(runs.get_runs_sum_max() == v.len()); - - - loop { - body_invariant!(buf.len() == 0); - body_invariant!(runs.get_runs_sum_max() == v.len()); - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); - body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); - body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); - - let r = collapse(&runs); - assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); - - if r == runs.len() { - assert!(r == runs.len()); - break; - } else if runs.len() > 1 && r < runs.len() - 1 { - assert!(runs.len() > 1 && r < runs.len() - 1); - let left_start = runs.index_start(r + 1); - let left_len = runs.index_len(r + 1); - let right_start = runs.index_start(r); - let right_len = runs.index_len(r); - - assert!(left_start < right_start); - assert!(right_start + right_len <= runs.get_runs_sum_max()); - assert!(right_start + right_len <= v.len()); - - assert!(left_start + left_len == right_start); - - merge( - &mut v[left_start..right_start + right_len], - left_len, - &mut buf, - ); - - buf = Buf::new(len / 2); - assert!(buf.len() == 0); - - runs.merge(r); - } - - } - - } - //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); -} \ No newline at end of file diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 3f6723d9a0c..5215e0a29c7 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,4 +1,3 @@ -extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; @@ -6,49 +5,22 @@ use std::vec::Vec; pub fn main() { let mut x : [i32; 50] = [5; 50]; //merge_sort(&mut x); - //println!("{:?}", x); } -#[requires(v.len() > 1)] -#[requires(start_index < end_index - 1 && end_index <= v.len())] -#[requires(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y < v.len()) ==> v[x] <= v[y]))] -#[ensures(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < v.len()) ==> v[x] <= v[y]))] -#[ensures(v.len() == old(v.len()))] -fn insert_head(v: &mut [i32], start_index: usize, end_index: usize) { - let mut i = start_index + 1; - while i < end_index { - body_invariant!(i < end_index); - body_invariant!(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; - } - if v.len() >= 2 && (v[start_index + 1] < v[start_index]) { - let tmp = v[start_index]; - v[start_index] = v[start_index + 1]; - let mut i = start_index + 2; - assert!(v[start_index] <= v[start_index + 1]); - assert!(tmp >= v[start_index]); - assert!(tmp >= v[start_index + 1]); - while i < end_index { - body_invariant!(i >= start_index + 2 && i < end_index); - body_invariant!(tmp >= v[i - 1]); - body_invariant!(v[i - 2] == v[i - 1]); - body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y < end_index) ==> v[x] <= v[y])); - if v[i] >= tmp { - assert!(tmp >= v[i - 2]); +fn insert_head(v: &mut [i32]) { + if v.len() >= 2 && (v[1] < v[0]) { + let tmp = v[0]; + v[0] = v[1]; + let mut i = 2; + while i < v.len() { + body_invariant!(i >= 2 && i < v.len()); + if !(i < v.len() && v[i] < tmp) { break; } v[i - 1] = v[i]; - assert!(tmp > v[i]); i += 1; } v[i - 1] = tmp; - assert!(i == end_index || (tmp <= v[i] && tmp >= v[i - 2])); - } - let mut i = start_index; - while i < end_index { - body_invariant!(i < end_index); - body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; } } @@ -84,27 +56,11 @@ impl Buf { } } -// #[trusted] -// #[requires(start < end && end <= v.len())] -// #[requires(start < mid && mid < end)] -// #[requires(forall(|i: usize, j: usize| start <= i && i <= j && j < mid ==> v[i] <= v[j]))] -// #[requires(forall(|i: usize, j: usize| mid <= i && i <= j && j < end ==> v[i] <= v[j]))] -// #[ensures(start < end && end <= v.len())] -// #[ensures(start < mid && mid < end)] -// #[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < mid ==> v[i] <= v[j]))] -// #[ensures(forall(|i: usize, j: usize| mid <= i && i <= j && j < end ==> v[i] <= v[j]))] -// fn take_mut_slice_for_merging(v: &mut [i32], start: usize, mid: usize, end: usize) -> &mut [i32] { &mut v[start..end] } - - -#[requires(0 < mid && mid < v.len())] -#[requires(buf.len() == 0)] -#[requires(forall(|i: usize, j: usize| 0 <= i && i <= j && j < mid ==> v[i] <= v[j]))] -#[requires(forall(|i: usize, j: usize| mid <= i && i <= j && j < v.len() ==> v[i] <= v[j]))] +#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] #[ensures(v.len() == old(v.len()))] -#[ensures(forall(|i: usize, j: usize| 0 <= i && i <= j && j < v.len() ==> v[i] <= v[j]))] fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { let len = v.len(); - //if mid <= len - mid { + if mid <= len - mid { let mut i = 0; while i < mid { body_invariant!(v.len() == len); @@ -112,7 +68,6 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(i < mid); body_invariant!(buf.len() == i); body_invariant!(buf.len() < mid); - buf.push(v[i]); i += 1; assert!(buf.len() <= mid); @@ -138,9 +93,6 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(out <= left + right - mid); body_invariant!(out < v.len()); - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); - body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); - if v[right] < buf.index(left) { v[out] = v[right]; right += 1; @@ -151,7 +103,6 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { out += 1; } - assert!(out == mid); assert!(v.len() == len); while left < mid { @@ -165,24 +116,13 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(buf.len() == mid); body_invariant!(left < buf.len()); - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); - body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); // we can remove this - v[out] = buf.index(left); out += 1; left += 1; } - assert!(out == right); - - let mut u = 0; - while u < len { - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); - u += 1; - } - assert!(v.len() == len); - /*} else { + } else { let mut i = mid; while i < len { body_invariant!(v.len() == len); @@ -217,9 +157,6 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(out == left + right); body_invariant!(out > 0); - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); - body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); - out -= 1; if buf.index(right - 1) < v[left - 1] { left -= 1; @@ -230,7 +167,6 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } } - assert!(out == mid); assert!(v.len() == len); while right > 0 { @@ -244,23 +180,12 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(right <= len); body_invariant!(right <= v.len()); - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); - body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); - right -= 1; v[right] = buf.index(right); } - assert!(out == left); - - let mut u = 0; - while u < len { - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); - u += 1; - } - assert!(v.len() == len); - }*/ + } } struct Runs{ @@ -318,80 +243,54 @@ impl Runs { self.len[index] } - #[trusted] - //#[requires(new_len > 0)] - #[requires(self.get_runs_sum_max() == v.len())] - #[requires(new_len + new_start <= self.get_runs_sum_max())] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j)))))] + #[requires(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] - #[requires(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - //#[requires(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] - - #[requires(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < new_start + new_len) ==> v[i] <= v[j]))] - #[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] - //#[requires(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < new_start + new_len) ==> v[i] <= v[j]))] - - #[ensures(self.get_runs_sum_max() == v.len())] + #[ensures(self.len() == old(self.len()) + 1)] #[ensures(self.index_len(self.len() - 1) == new_len)] #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[ensures(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] + #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i + 1) + self.index_len(i + 1) == self.index_start(i)))))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - //#[ensures(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] - - #[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] - //#[ensures(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < v.len()) ==> v[i] <= v[j]))] - pub fn push(&mut self, new_start: usize, new_len: usize, v: &[i32]) { + pub fn push(&mut self, new_start: usize, new_len: usize) { self.add_runs_sum_cur(new_len); self.start.push(new_start); self.len.push(new_len); } - + /* #[trusted] - #[requires(self.get_runs_sum_max() == v.len())] #[requires(0 <= index && index < self.len() - 1)] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[requires(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[requires(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] - //#[requires(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] - - //#[requires(forall(|x: usize, y: usize| (self.index_start(index + 1) <= x && x <= y && y < self.index_start(index) + self.index_len(index)) ==> v[x] <= v[y]))] - #[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] - - #[ensures(self.get_runs_sum_max() == v.len())] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] #[ensures(self.len() == old(self.len()) - 1)] #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] - #[ensures(self.index_start(index) == old(self.index_start(index + 1)))] #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[ensures(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] - //#[ensures(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] - - //#[ensures(forall(|x: usize, y: usize| (self.index_start(index) <= x && x <= y && y < self.index_start(index) + self.index_len(index)) ==> v[x] <= v[y]))] - #[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] - pub fn merge(&mut self, index: usize, v: &[i32]) { + #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + pub fn merge(&mut self, index: usize) { let new_start = self.index_start(index + 1); let new_len = self.index_len(index) + self.index_len(index + 1); self.start[index] = new_start; @@ -399,8 +298,9 @@ impl Runs { self.start.remove(index + 1); self.len.remove(index + 1); } + */ } - +/* #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] fn collapse(runs: &Runs) -> usize { @@ -435,28 +335,23 @@ fn collapse(runs: &Runs) -> usize { return n; } -#[requires(v.len() >= 1 && v.len() <= usize::MAX)] -#[ensures(forall(|x: usize, y: usize| v.len() < 2 || ((0 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])))] +#[requires(v.len() <= usize::MAX)] fn sort_small_array(v: &mut [i32]) { - if v.len() < 2 { - return; - } else { - let mut len = v.len(); - assert!(v.len() >= 2); - let mut i = v.len() - 2; + let len = v.len(); + if len >= 2 { + let mut i = len - 2; loop { - body_invariant!(i >= 0 && i < v.len() - 1); - body_invariant!(forall(|x: usize, y: usize| (i + 1 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])); - insert_head(v, i, len); + body_invariant!(i >= 0); + insert_head(&mut v[i..]); if i == 0 { break; } else { i -= 1; } - } + } } } - +*/ #[requires(v.len() <= usize::MAX)] #[requires(runs.get_runs_sum_max() == v.len())] #[requires(end >= 1 && end <= v.len())] @@ -465,90 +360,50 @@ fn sort_small_array(v: &mut [i32]) { #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[requires(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j))))] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] #[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[requires(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))] -//#[requires(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0))] - -#[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y]))] -//#[requires(forall(|i: usize, j: usize| (end <= i && i <= j && j < v.len()) ==> v[i] <= v[j]))] - -#[ensures(runs.len() == old(runs.len()) + 1)] +#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))]#[ensures(runs.len() == old(runs.len()) + 1)] #[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[ensures(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j))))] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] #[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[ensures(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))] +#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] #[ensures(result >= 0 && result < v.len())] #[ensures(v.len() == old(v.len()))] #[ensures(runs.get_runs_sum_cur() == v.len() - result)] #[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] #[ensures(runs.get_runs_sum_max() == v.len())] -//#[ensures(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0))] - -#[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y]))] -//#[ensures(forall(|i: usize, j: usize| (result <= i && i <= j && j < v.len()) ==> v[i] <= v[j]))] fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { let mut start = end - 1; assert!(start < end); - let mut u = 0; - while u < runs.len() { - body_invariant!(u < runs.len()); - body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < 0 && runs.index_len(i) <= x && x <= y && y <= runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); - u += 1; - } - if start > 0 { + assert!(runs.get_runs_sum_cur() == v.len() - end); start -= 1; assert!(start < end - 1); assert!(end <= v.len()); assert!(start < v.len() - 1); if v[start + 1] < v[start] { - assert!(v[start] >= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] >= v[y])); if !(v[start] < v[start - 1]) { break; } - assert!(v[start - 1] >= v[start]); start -= 1; - assert!(v[start] >= v[start + 1]); - } - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); - i += 1; } + assert!(runs.get_runs_sum_cur() == v.len() - end); v[start..end].reverse(); - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; - } + assert!(runs.get_runs_sum_cur() == v.len() - end); } else { - assert!(v[start] <= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); if v[start] < v[start - 1] { break; } - assert!(v[start - 1] <= v[start]); start -= 1; - assert!(v[start] <= v[start + 1]); - } - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; } } } @@ -558,40 +413,38 @@ fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) while start > 0 && end - start < MIN_RUN { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && end <= v.len() && start < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); start -= 1; - insert_head(v, start, end); + insert_head(&mut v[start..end]); } - + assert!(runs.get_runs_sum_cur() == v.len() - end); assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); assert!(start < end); + //assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); let new_len = end - start; - assert!(new_len > 0); assert!(start + new_len <= v.len()); assert!(start + new_len <= runs.get_runs_sum_max()); assert!(start + new_len == end); assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); - runs.push(start, new_len, &v); - + runs.push(start, new_len); + assert!(runs.get_runs_sum_cur() == v.len() - start); end = start; + //assert!(v.len() == runs.get_runs_sum_max()); assert!(runs.get_runs_sum_cur() == v.len() - end); - + return end; } - #[requires(v.len() <= usize::MAX)] -//#[ensures(forall(|x: usize, y: usize| ((0 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])))] fn merge_sort(v: &mut [i32]) { const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; @@ -602,11 +455,10 @@ fn merge_sort(v: &mut [i32]) { } let len = v.len(); - //if len <= MAX_INSERTION { - // sort_small_array(v); - // return; - //} - + if len <= MAX_INSERTION { + sort_small_array(v); + return; + } let mut buf = Buf::new(len / 2); let mut runs = Runs::new(v.len()); @@ -626,18 +478,16 @@ fn merge_sort(v: &mut [i32]) { body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); - //body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); - - body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); assert!(end >= 1 && end <= v.len()); end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); assert!(runs.get_runs_sum_cur() == v.len() - end); assert!(runs.get_runs_sum_max() == v.len()); + loop { body_invariant!(buf.len() == 0); body_invariant!(runs.get_runs_sum_max() == v.len()); @@ -646,13 +496,10 @@ fn merge_sort(v: &mut [i32]) { body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); - //body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); + body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); - body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); - let r = collapse(&runs); assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); @@ -667,33 +514,25 @@ fn merge_sort(v: &mut [i32]) { let right_len = runs.index_len(r); assert!(left_start < right_start); - // assert!(right_start + right_len <= runs.get_runs_sum_max()); - // assert!(right_start + right_len <= v.len()); + assert!(right_start + right_len <= runs.get_runs_sum_max()); + assert!(right_start + right_len <= v.len()); assert!(left_start + left_len == right_start); - - // assert!(left_start + left_len < right_start + right_len); - // requires - // 1) v[left.start..left.start+left.len] is sorted - // 2) v[right.start..right.start+right.len] is sorted - - // merge( - // take_mut_slice_for_merging(v, left_start, left_start + left_len, right_start + right_len), - // left_start + left_len, - // &mut buf, - // ); - - // ensures - // 1) v[left.start..right.start+right.len] is sorted - - // buf = Buf::new(len / 2); - // assert!(buf.len() == 0); + merge( + &mut v[left_start..right_start + right_len], + left_len, + &mut buf, + ); + + buf = Buf::new(len / 2); + assert!(buf.len() == 0); - // runs.merge(r, &v); + runs.merge(r); } + } + } - //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } \ No newline at end of file From 202aa0a235984cda82289f1dbac8f91222436d27 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Thu, 9 Jun 2022 17:25:53 +0200 Subject: [PATCH 12/14] prove one run remains after execution --- .../verifying_tim_sort/src/main.rs | 451 ++++++++++++++---- 1 file changed, 360 insertions(+), 91 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 5215e0a29c7..5096d4cb91f 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,3 +1,4 @@ +extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; @@ -5,22 +6,55 @@ use std::vec::Vec; pub fn main() { let mut x : [i32; 50] = [5; 50]; //merge_sort(&mut x); + //println!("{:?}", x); } -fn insert_head(v: &mut [i32]) { - if v.len() >= 2 && (v[1] < v[0]) { - let tmp = v[0]; - v[0] = v[1]; - let mut i = 2; - while i < v.len() { - body_invariant!(i >= 2 && i < v.len()); - if !(i < v.len() && v[i] < tmp) { +#[trusted] +#[requires(v.len() > 1)] +#[requires(start_index < end_index - 1)] +#[requires(end_index > 1 && end_index <= v.len())] +// #[requires(forall(|i: usize| i < v.len() ==> (v[i] == 0 || v[i] == 1)))] +#[requires(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y < end_index) ==> v[x] <= v[y]))] + +#[ensures(v.len() == old(v.len()))] +// #[ensures(forall(|i: usize| i < v.len() ==> (v[i] == 0 || v[i] == 1)))] +// #[ensures(sum_zero(v, v.len()) == sum_zero(old(v), v.len()))] +#[ensures(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < end_index) ==> v[x] <= v[y]))] +fn insert_head(v: &mut [i32], start_index: usize, end_index: usize) { + let mut i = start_index + 1; + while i < end_index { + body_invariant!(i < end_index); + body_invariant!(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; + } + if v.len() >= 2 && (v[start_index + 1] < v[start_index]) { + let tmp = v[start_index]; + v[start_index] = v[start_index + 1]; + let mut i = start_index + 2; + assert!(v[start_index] <= v[start_index + 1]); + assert!(tmp >= v[start_index]); + assert!(tmp >= v[start_index + 1]); + while i < end_index { + body_invariant!(i >= start_index + 2 && i < end_index); + body_invariant!(tmp >= v[i - 1]); + body_invariant!(v[i - 2] == v[i - 1]); + body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + if v[i] >= tmp { + assert!(tmp >= v[i - 2]); break; } v[i - 1] = v[i]; + assert!(tmp > v[i]); i += 1; } v[i - 1] = tmp; + assert!(i == end_index || (tmp <= v[i] && tmp >= v[i - 2])); + } + let mut i = start_index; + while i < end_index { + body_invariant!(i < end_index); + body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; } } @@ -56,9 +90,26 @@ impl Buf { } } -#[requires(mid >= 0 && mid <= v.len() && buf.len() == 0)] -#[ensures(v.len() == old(v.len()))] -fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { +#[trusted] +#[requires(start < mid_full && mid_full < end && end <= v_full.len())] +#[requires(buf.len() == 0)] +#[requires(forall(|i: usize, j: usize| start <= i && i <= j && j < mid_full ==> v_full[i] <= v_full[j]))] +#[requires(forall(|i: usize, j: usize| mid_full <= i && i <= j && j < end ==> v_full[i] <= v_full[j]))] + +#[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v_full[x] <= v_full[y]))] + +#[ensures(v_full.len() == old(v_full.len()))] +#[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < mid_full ==> v_full[i] <= v_full[j]))] +#[ensures(forall(|i: usize, j: usize| mid_full <= i && i <= j && j < end ==> v_full[i] <= v_full[j]))] +#[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < end ==> v_full[i] <= v_full[j]))] + +#[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v_full[x] <= v_full[y]))] +fn merge(v_full: &mut [i32], start: usize, mid_full: usize, end: usize, buf: &mut Buf, runs: &Runs) { + let v = &mut v_full[start..end]; + let mid = mid_full - start; + //assert!(v.len() == end - start); + //assert!(0 < mid_full - start && mid_full - start < v.len()); + // #[ensures(forall(|i: usize, j: usize| start <= i && i < end && j == i - start ==> v[i] == result[j]))] let len = v.len(); if mid <= len - mid { let mut i = 0; @@ -68,6 +119,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(i < mid); body_invariant!(buf.len() == i); body_invariant!(buf.len() < mid); + buf.push(v[i]); i += 1; assert!(buf.len() <= mid); @@ -93,6 +145,9 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(out <= left + right - mid); body_invariant!(out < v.len()); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); + // body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); + if v[right] < buf.index(left) { v[out] = v[right]; right += 1; @@ -103,6 +158,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { out += 1; } + assert!(out == mid); assert!(v.len() == len); while left < mid { @@ -116,11 +172,22 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(buf.len() == mid); body_invariant!(left < buf.len()); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); + // body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); // we can remove this + v[out] = buf.index(left); out += 1; left += 1; } + assert!(out == right); + + let mut u = 0; + while u < len { + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); + u += 1; + } + assert!(v.len() == len); } else { let mut i = mid; @@ -157,6 +224,9 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(out == left + right); body_invariant!(out > 0); + // body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); + out -= 1; if buf.index(right - 1) < v[left - 1] { left -= 1; @@ -167,6 +237,7 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { } } + assert!(out == mid); assert!(v.len() == len); while right > 0 { @@ -180,14 +251,26 @@ fn merge(v: &mut [i32], mid: usize, buf: &mut Buf) { body_invariant!(right <= len); body_invariant!(right <= v.len()); + // body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); // we can remove this + // body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); // we can remove this + right -= 1; v[right] = buf.index(right); } + assert!(out == left); + + let mut u = 0; + while u < len { + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); + u += 1; + } + assert!(v.len() == len); } } + struct Runs{ start: Vec, len: Vec, @@ -243,54 +326,86 @@ impl Runs { self.len[index] } + #[trusted] + #[requires(new_len > 0)] + #[requires(self.get_runs_sum_max() == v.len())] + #[requires(new_len + new_start <= self.get_runs_sum_max())] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[requires(self.get_runs_sum_cur() + new_len <= self.get_runs_sum_max())] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + new_len <= self.get_runs_sum_max())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] + #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j)))))] #[requires(self.len() == 0 || self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] #[requires(self.len() == 0 || new_start < self.index_start(self.len() - 1))] #[requires(self.len() < 1 || new_start + new_len == self.index_start(self.len() - 1))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[requires(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - + #[requires(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + #[requires(forall(|i: usize, j: usize| (new_start <= i && i <= j && j < new_start + new_len) ==> v[i] <= v[j]))] + #[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + + #[requires((self.len() == 0 && new_len + new_start == v.len()) || (self.len() > 0 && self.index_start(0) + self.index_len(0) == v.len()))] + + #[ensures(self.get_runs_sum_max() == v.len())] #[ensures(self.len() == old(self.len()) + 1)] #[ensures(self.index_len(self.len() - 1) == new_len)] #[ensures(self.get_runs_sum_cur() == new_len + old(self.get_runs_sum_cur()))] #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i) > self.index_start(i + 1)))))] + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(forall(|i: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) ==> self.index_start(i + 1) + self.index_len(i + 1) == self.index_start(i)))))] + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - pub fn push(&mut self, new_start: usize, new_len: usize) { + #[ensures(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + #[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + + #[ensures(self.index_start(0) + self.index_len(0) == v.len())] + pub fn push(&mut self, new_start: usize, new_len: usize, v: &[i32]) { self.add_runs_sum_cur(new_len); self.start.push(new_start); self.len.push(new_len); } - /* + #[trusted] + #[requires(self.get_runs_sum_max() == v.len())] #[requires(0 <= index && index < self.len() - 1)] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] #[requires(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[requires(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] #[requires(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[requires(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] + #[requires(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + #[requires(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + #[requires(forall(|x: usize, y: usize| (self.index_start(index + 1) <= x && x <= y && y < self.index_start(index) + self.index_len(index)) ==> v[x] <= v[y]))] + #[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + + #[requires(self.index_start(0) + self.index_len(0) == v.len())] + + #[ensures(self.get_runs_sum_max() == v.len())] #[ensures(self.len() == old(self.len()) - 1)] #[ensures(self.index_len(index) == old(self.index_len(index)) + old(self.index_len(index + 1)))] + #[ensures(self.index_start(index) == old(self.index_start(index + 1)))] #[ensures(self.get_runs_sum_cur() == old(self.get_runs_sum_cur()))] #[ensures(self.get_runs_sum_max() == old(self.get_runs_sum_max()))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) <= self.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < self.len() && i < j && j < self.len() ==> self.index_len(i) + self.index_len(j) <= self.get_runs_sum_max())))] #[ensures(forall(|i: usize| (0 <= i && i < self.len() ==> self.index_len(i) + self.index_start(i) <= self.get_runs_sum_max())))] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(i) > self.index_start(j)))))] + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(i) > self.index_start(j))))] #[ensures(self.index_start(self.len() - 1) == self.get_runs_sum_max() - self.get_runs_sum_cur())] - #[ensures(forall(|i: usize, j: usize| (self.len() < 2 || (self.len() >= 2 && 0 <= i && i < (self.len() - 1) && j == (i + 1) ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))))] - pub fn merge(&mut self, index: usize) { + #[ensures(self.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (self.len() - 1) && j == i + 1 ==> self.index_start(j) + self.index_len(j) == self.index_start(i)))] + #[ensures(forall(|i: usize| 0 <= i && i < self.len() ==> self.index_len(i) > 0))] + + #[ensures(forall(|x: usize, y: usize| (self.index_start(index) <= x && x <= y && y < self.index_start(index) + self.index_len(index)) ==> v[x] <= v[y]))] + #[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < self.len() && self.index_start(i) <= x && x <= y && y < self.index_start(i) + self.index_len(i)) ==> v[x] <= v[y]))] + + #[ensures(self.index_start(0) + self.index_len(0) == v.len())] + pub fn merge(&mut self, index: usize, v: &[i32]) { let new_start = self.index_start(index + 1); let new_len = self.index_len(index) + self.index_len(index + 1); self.start[index] = new_start; @@ -298,11 +413,11 @@ impl Runs { self.start.remove(index + 1); self.len.remove(index + 1); } - */ } -/* + #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] +#[ensures(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || result == runs.len() - 2))] fn collapse(runs: &Runs) -> usize { let n = runs.len(); if n >= 2 { @@ -335,23 +450,31 @@ fn collapse(runs: &Runs) -> usize { return n; } -#[requires(v.len() <= usize::MAX)] +#[requires(v.len() >= 1 && v.len() <= usize::MAX)] +#[ensures(v.len() < 2 || forall(|x: usize, y: usize| 0 <= x && x <= y && y < v.len() ==> v[x] <= v[y]))] fn sort_small_array(v: &mut [i32]) { - let len = v.len(); - if len >= 2 { - let mut i = len - 2; + if v.len() < 2 { + return; + } else { + let len = v.len(); + let mut i = v.len() - 2; loop { - body_invariant!(i >= 0); - insert_head(&mut v[i..]); + body_invariant!(len == v.len()); + body_invariant!(i < v.len() - 1); + body_invariant!(forall(|x: usize, y: usize| (i + 1 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])); + insert_head(v, i, len); if i == 0 { break; } else { i -= 1; } - } + } } } -*/ + + +// the last pre and post conditions are not proved inside the function yet +#[trusted] #[requires(v.len() <= usize::MAX)] #[requires(runs.get_runs_sum_max() == v.len())] #[requires(end >= 1 && end <= v.len())] @@ -360,50 +483,93 @@ fn sort_small_array(v: &mut [i32]) { #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[requires(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[requires(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j))))] #[requires(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[requires(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))]#[ensures(runs.len() == old(runs.len()) + 1)] +#[requires(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))] +#[requires(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0))] + +#[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y]))] + +#[requires(runs.len() == 0 || runs.index_start(0) + runs.index_len(0) == v.len())] + +#[ensures(runs.len() == old(runs.len()) + 1)] +#[ensures(runs.len() > 0)] #[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur())))] #[ensures(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max())))] -#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j)))))] +#[ensures(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j))))] #[ensures(runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur())] -#[ensures(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i)))))] +#[ensures(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))] #[ensures(result >= 0 && result < v.len())] #[ensures(v.len() == old(v.len()))] #[ensures(runs.get_runs_sum_cur() == v.len() - result)] #[ensures(runs.get_runs_sum_max() == old(runs.get_runs_sum_max()))] #[ensures(runs.get_runs_sum_max() == v.len())] +#[ensures(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0))] + +#[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y]))] + +#[ensures(runs.index_start(0) + runs.index_len(0) == v.len())] fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { let mut start = end - 1; assert!(start < end); + let mut u = 0; + while u < runs.len() { + body_invariant!(u < runs.len()); + body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < 0 && runs.index_len(i) <= x && x <= y && y <= runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + u += 1; + } + if start > 0 { - assert!(runs.get_runs_sum_cur() == v.len() - end); start -= 1; assert!(start < end - 1); assert!(end <= v.len()); assert!(start < v.len() - 1); if v[start + 1] < v[start] { + assert!(v[start] >= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] >= v[y])); if !(v[start] < v[start - 1]) { break; } + assert!(v[start - 1] >= v[start]); start -= 1; + assert!(v[start] >= v[start + 1]); + } + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); + i += 1; } - assert!(runs.get_runs_sum_cur() == v.len() - end); v[start..end].reverse(); - assert!(runs.get_runs_sum_cur() == v.len() - end); + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; + } } else { + assert!(v[start] <= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); if v[start] < v[start - 1] { break; } + assert!(v[start - 1] <= v[start]); start -= 1; + assert!(v[start] <= v[start + 1]); + } + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); + i += 1; } } } @@ -413,38 +579,58 @@ fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) while start > 0 && end - start < MIN_RUN { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && end <= v.len() && start < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); start -= 1; - insert_head(&mut v[start..end]); + insert_head(v, start, end); } - + + let mut i = start; + while i < end { + body_invariant!(i < end); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); + i += 1; + } + assert!(runs.get_runs_sum_cur() == v.len() - end); assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); assert!(start < end); - //assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); let new_len = end - start; + assert!(new_len > 0); assert!(start + new_len <= v.len()); assert!(start + new_len <= runs.get_runs_sum_max()); assert!(start + new_len == end); assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); - runs.push(start, new_len); + let mut i = start; + while i < start + new_len { + body_invariant!(i < start + new_len); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); + i += 1; + } + + // assert!((runs.len() == 0 && end == v.len()) || (runs.len() > 0 && runs.index_start(0) + runs.index_len(0) == v.len())); + runs.push(start, new_len, &v); + + assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - start); + assert!(runs.get_runs_sum_max() == v.len()); assert!(runs.get_runs_sum_cur() == v.len() - start); end = start; - //assert!(v.len() == runs.get_runs_sum_max()); assert!(runs.get_runs_sum_cur() == v.len() - end); - + return end; } + #[requires(v.len() <= usize::MAX)] +// #[ensures(forall(|x: usize, y: usize| ((0 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])))] fn merge_sort(v: &mut [i32]) { const MAX_INSERTION: usize = 20; const MIN_RUN: usize = 10; @@ -453,13 +639,13 @@ fn merge_sort(v: &mut [i32]) { if v.len() == 0 { return; } - + let len = v.len(); if len <= MAX_INSERTION { sort_small_array(v); return; } - + let mut buf = Buf::new(len / 2); let mut runs = Runs::new(v.len()); @@ -478,61 +664,144 @@ fn merge_sort(v: &mut [i32]) { body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); + body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); + + body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == end); + + body_invariant!(runs.len() == 0 || runs.index_start(0) + runs.index_len(0) == v.len()); assert!(end >= 1 && end <= v.len()); end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); - assert!(runs.get_runs_sum_cur() == v.len() - end); - assert!(runs.get_runs_sum_max() == v.len()); + // assert!(runs.get_runs_sum_cur() == v.len() - end); + // assert!(runs.get_runs_sum_max() == v.len()); + + // assert!(runs.len() > 0); + // assert!(runs.index_start(runs.len() - 1) == end); + // assert!(runs.index_start(0) + runs.index_len(0) == v.len()); + // let length = runs.len(); + + assert!(runs.len() > 0); + loop { - body_invariant!(buf.len() == 0); - body_invariant!(runs.get_runs_sum_max() == v.len()); - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); - body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(i) > runs.index_start(j))))); - body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - body_invariant!(forall(|i: usize, j: usize| (runs.len() < 2 || (runs.len() >= 2 && 0 <= i && i < (runs.len() - 1) && j == (i + 1) ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))))); - - let r = collapse(&runs); - assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); + body_invariant!(runs.len() > 0); + + // body_invariant!(buf.len() == 0); + // body_invariant!(runs.get_runs_sum_max() == v.len()); + // body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + // body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); + // body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + // body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + // body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + // body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); + // //edit here, remove runs.len() == 0 ??? + // body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + // body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); + // body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); + + // body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); - if r == runs.len() { - assert!(r == runs.len()); - break; - } else if runs.len() > 1 && r < runs.len() - 1 { - assert!(runs.len() > 1 && r < runs.len() - 1); - let left_start = runs.index_start(r + 1); - let left_len = runs.index_len(r + 1); - let right_start = runs.index_start(r); - let right_len = runs.index_len(r); - - assert!(left_start < right_start); - assert!(right_start + right_len <= runs.get_runs_sum_max()); - assert!(right_start + right_len <= v.len()); - assert!(left_start + left_len == right_start); + break; + // body_invariant!(runs.index_start(runs.len() - 1) == end); + + // body_invariant!(runs.index_start(0) + runs.index_len(0) == v.len()); + + // let r = collapse(&runs); + // assert!(runs.len() > 0); + + // assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); + // assert!(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || r == runs.len() - 2)); - merge( - &mut v[left_start..right_start + right_len], - left_len, - &mut buf, - ); + // assert!(runs.index_start(runs.len() - 1) != 0 || (runs.len() < 2 || r == runs.len() - 2)); + // // assert!(runs.index_start(runs.len() - 1) == end); + // assert!(end != 0 || (runs.len() < 2 || r == runs.len() - 2)); - buf = Buf::new(len / 2); - assert!(buf.len() == 0); + // if r == runs.len() { + // assert!(runs.len() > 0); - runs.merge(r); - } - + // assert!(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || r == runs.len() - 2)); + // assert!(r == runs.len()); + // // assert!(r != runs.len() - 2); + // assert!(runs.len() < 2 || runs.index_start(runs.len() - 1) != 0); + + // // // assert!(end == 0); + // // // assert!(runs.index_start(runs.len() - 1) == end); + // // // assert!(runs.index_start(runs.len() - 1) == 0); + + // // // assert!(runs.len() < 2); + // // // assert!(runs.len() == 1); + + // break; + // } else { + // break; + // } + // assert!(runs.len() > 1 && r < runs.len() - 1); + // assert!(runs.len() > 1); + + // let left_start = runs.index_start(r + 1); + // let left_len = runs.index_len(r + 1); + // let right_start = runs.index_start(r); + // let right_len = runs.index_len(r); + + // // working + // assert!(left_start < right_start); + // assert!(right_start + right_len <= runs.get_runs_sum_max()); + // assert!(right_start + right_len <= v.len()); + + // assert!(left_start + left_len == right_start); + + // // not working + // assert!(right_len > 0); + // assert!(left_start + left_len < right_start + right_len); + + // // merge requires + // // 1) v[left.start..left.start+left.len] is sorted + // // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted + + // merge(v, left_start, left_start + left_len, right_start + right_len, &mut buf, &runs); + + // // merge ensures + // // 1) v[left.start..left.start+left.len] is sorted + // // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted + // // 3) v[left.start..right.start+right.len] is sorted + + // buf = Buf::new(len / 2); + // assert!(buf.len() == 0); + + // // assert!(runs.len() > 1); + // runs.merge(r, &v); + // assert!(runs.len() > 0); + // } + // assert!(runs.len() > 0); } - + // assert!(runs.len() > 0); + + // assert!(end != 0 || runs.len() == 1); } + + assert!(runs.get_runs_sum_cur() == v.len()); + assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max()); + + assert!(runs.len() > 0); + // assert!(runs.len() == 1); + assert!(runs.index_start(0) + runs.index_len(0) == v.len()); + + assert!(end == 0); + assert!(runs.index_start(runs.len() - 1) == end); + assert!(runs.index_start(runs.len() - 1) == 0); + //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); -} \ No newline at end of file +} + +// Remaining things to prove +// 1) runs.index_start(runs.len() - 1) == end which will be 0 at the end +// 2) runs.len() == 0 || runs.index_start(0) + runs.index_len(0) == v.len() == runs.get_runs_sum_max() +// 3) at the end of the loop, runs.len() == 1 +// follows ==> runs.index_start(0) == 0 && runs.index_start(0) + runs.index_len(0) == v.len() && that run is sorted \ No newline at end of file From b587054a7d1461b31bd9ac262646d049145e5f33 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 12 Jul 2022 08:00:28 +0100 Subject: [PATCH 13/14] add extra verified parts --- .../verifying_tim_sort/src/main.rs | 611 ++++++++++-------- 1 file changed, 349 insertions(+), 262 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 5096d4cb91f..6aad2b9121f 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -1,4 +1,3 @@ -extern crate prusti_contracts; use prusti_contracts::*; use std::vec::Vec; @@ -13,48 +12,60 @@ pub fn main() { #[requires(v.len() > 1)] #[requires(start_index < end_index - 1)] #[requires(end_index > 1 && end_index <= v.len())] -// #[requires(forall(|i: usize| i < v.len() ==> (v[i] == 0 || v[i] == 1)))] #[requires(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y < end_index) ==> v[x] <= v[y]))] #[ensures(v.len() == old(v.len()))] -// #[ensures(forall(|i: usize| i < v.len() ==> (v[i] == 0 || v[i] == 1)))] -// #[ensures(sum_zero(v, v.len()) == sum_zero(old(v), v.len()))] #[ensures(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < end_index) ==> v[x] <= v[y]))] + +#[requires(v.len() == runs.get_runs_sum_max())] +#[requires(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end_index)] +#[requires(runs.get_runs_sum_cur() == v.len() - end_index)] + +#[ensures(v.len() == runs.get_runs_sum_max())] +#[ensures(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end_index)] +#[ensures(runs.get_runs_sum_cur() == v.len() - end_index)] fn insert_head(v: &mut [i32], start_index: usize, end_index: usize) { - let mut i = start_index + 1; - while i < end_index { - body_invariant!(i < end_index); - body_invariant!(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; - } - if v.len() >= 2 && (v[start_index + 1] < v[start_index]) { + let len = v.len(); + + assert!(start_index < end_index - 1); + if v[start_index + 1] < v[start_index] { let tmp = v[start_index]; v[start_index] = v[start_index + 1]; let mut i = start_index + 2; + assert!(v[start_index] <= v[start_index + 1]); assert!(tmp >= v[start_index]); assert!(tmp >= v[start_index + 1]); + while i < end_index { + body_invariant!(v.len() == len); + body_invariant!(i >= start_index + 2 && i < end_index); + body_invariant!(end_index <= v.len()); + body_invariant!(i < v.len()); + body_invariant!(tmp >= v[i - 1]); body_invariant!(v[i - 2] == v[i - 1]); - body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + // body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + // body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y <= i) ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + if v[i] >= tmp { assert!(tmp >= v[i - 2]); + v[i - 1] = tmp; + assert!(v[i - 2] <= v[i - 1] && v[i - 1] <= v[i]); break; } - v[i - 1] = v[i]; assert!(tmp > v[i]); + + assert!(v[i - 1] <= v[i]); + assert!(v[i - 2] <= v[i - 1]); + v[i - 1] = v[i]; + assert!(v[i - 2] <= v[i - 1] && v[i - 1] <= v[i]); + i += 1; } v[i - 1] = tmp; - assert!(i == end_index || (tmp <= v[i] && tmp >= v[i - 2])); - } - let mut i = start_index; - while i < end_index { - body_invariant!(i < end_index); - body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; } } @@ -84,145 +95,194 @@ impl Buf { } #[trusted] - #[ensures(self.len() == old(self).len() + 1)] - pub fn push(&mut self, value: i32) { - self.v.push(value); + #[requires(i < v.len())] + #[requires(i == start + self.len())] + #[requires(forall(|x: usize| start <= x && x < i ==> self.index(x - start) == v[x]))] + #[requires(forall(|x: usize, y: usize| 0 <= x && x <= y && y < self.len() ==> self.index(x) <= self.index(y)))] + #[requires(forall(|x: usize, y: usize| start <= x && x <= y && y < start + self.len() ==> v[x] <= v[y]))] + + #[ensures(self.len() == old(self.len()) + 1)] + #[ensures(self.index(self.len() - 1) == v[i])] + #[ensures(forall(|x: usize| start <= x && x <= i ==> self.index(x - start) == v[x]))] + #[ensures(forall(|x: usize, y: usize| 0 <= x && x <= y && y < self.len() ==> self.index(x) <= self.index(y)))] + pub fn push(&mut self, v: &[i32], i: usize, start: usize) { + self.v.push(v[i]); } } #[trusted] -#[requires(start < mid_full && mid_full < end && end <= v_full.len())] +#[requires(start < mid && mid < end && end <= v.len())] #[requires(buf.len() == 0)] -#[requires(forall(|i: usize, j: usize| start <= i && i <= j && j < mid_full ==> v_full[i] <= v_full[j]))] -#[requires(forall(|i: usize, j: usize| mid_full <= i && i <= j && j < end ==> v_full[i] <= v_full[j]))] - -#[requires(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v_full[x] <= v_full[y]))] - -#[ensures(v_full.len() == old(v_full.len()))] -#[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < mid_full ==> v_full[i] <= v_full[j]))] -#[ensures(forall(|i: usize, j: usize| mid_full <= i && i <= j && j < end ==> v_full[i] <= v_full[j]))] -#[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < end ==> v_full[i] <= v_full[j]))] - -#[ensures(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v_full[x] <= v_full[y]))] -fn merge(v_full: &mut [i32], start: usize, mid_full: usize, end: usize, buf: &mut Buf, runs: &Runs) { - let v = &mut v_full[start..end]; - let mid = mid_full - start; - //assert!(v.len() == end - start); - //assert!(0 < mid_full - start && mid_full - start < v.len()); - // #[ensures(forall(|i: usize, j: usize| start <= i && i < end && j == i - start ==> v[i] == result[j]))] +#[requires(forall(|i: usize, j: usize| start <= i && i <= j && j < mid ==> v[i] <= v[j]))] +#[requires(forall(|i: usize, j: usize| mid <= i && i <= j && j < end ==> v[i] <= v[j]))] +#[ensures(v.len() == old(v.len()))] +#[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < mid ==> v[i] <= v[j]))] +#[ensures(forall(|i: usize, j: usize| mid <= i && i <= j && j < end ==> v[i] <= v[j]))] +#[ensures(forall(|i: usize, j: usize| start <= i && i <= j && j < end ==> v[i] <= v[j]))] +fn merge(v: &mut [i32], start: usize, mid: usize, end: usize, buf: &mut Buf) { let len = v.len(); - if mid <= len - mid { - let mut i = 0; + + if mid - start <= end - mid { + let mut i = start; while i < mid { body_invariant!(v.len() == len); body_invariant!(i < mid); - body_invariant!(buf.len() == i); - body_invariant!(buf.len() < mid); + body_invariant!(buf.len() == i - start); + body_invariant!(buf.len() < mid - start); + body_invariant!(forall(|x: usize| start <= x && x < i ==> buf.index(x - start) == v[x])); + body_invariant!(forall(|x: usize, y: usize| start <= x && x <= y && y < i ==> buf.index(x - start) <= buf.index(y - start))); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < buf.len() ==> buf.index(x) <= buf.index(y))); - buf.push(v[i]); + buf.push(&v, i, start); i += 1; - assert!(buf.len() <= mid); + assert!(buf.len() <= mid - start); } - assert!(buf.len() == mid); + assert!(buf.len() == mid - start); let mut left = 0; let mut right = mid; - let mut out = 0; + let mut out = start; - while left < mid && right < len { + while left < mid - start && right < end { body_invariant!(v.len() == len); - body_invariant!(right < len); - body_invariant!(len == v.len()); + body_invariant!(right < end); + body_invariant!(end <= v.len()); body_invariant!(right < v.len()); - body_invariant!(left < mid); - body_invariant!(buf.len() == mid); + body_invariant!(left < mid - start); + body_invariant!(buf.len() == mid - start); body_invariant!(left < buf.len()); - body_invariant!(left + right - mid < v.len()); - body_invariant!(out <= left + right - mid); - body_invariant!(out < v.len()); + body_invariant!(left + right - mid < end - start); + body_invariant!(out == start + left + right - mid); + body_invariant!(out - start == left + right - mid); + body_invariant!(out < end); + body_invariant!(out < right); + + body_invariant!((left <= 0 && right <= mid) || out > start); + + body_invariant!(forall(|x: usize, y: usize| start <= x && x <= y && y < out ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < end ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < buf.len() ==> buf.index(x) <= buf.index(y))); + + // body_invariant!(out <= start || (0 < left && left < buf.len() && v[out - 1] == buf.index(left - 1)) || (mid < right && right < len && v[out - 1] == v[right - 1])); + body_invariant!(out <= start || (v[out - 1] <= buf.index(left) && v[out - 1] <= v[right])); + + // assert!(right == mid || (out > start && v[out - 1] <= v[right] && v[out - 1] <= buf.index(left))); + // assert!(left == 0 || (out > start && v[out - 1] <= v[right] && v[out - 1] <= buf.index(left))); + + body_invariant!(left == 0 || buf.index(left - 1) <= buf.index(left)); + body_invariant!(right <= mid || v[right - 1] <= v[right]); - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); - // body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); + // assert!(out - start == left + right - mid); + // assert!(out == start || left > 0 || right > mid); + // assert!(left == 0 || out > start); + // assert!(right == mid || out > start); if v[right] < buf.index(left) { + // assert!(left == 0 || buf.index(left - 1) <= v[out - 1]); + // assert!(left == 0 || v[out - 1] <= v[right]); + // assert!(left == 0 || buf.index(left - 1) <= v[right]); + assert!(out <= start || v[out - 1] <= v[right]); v[out] = v[right]; + assert!(v[out] == v[right] && v[right] < buf.index(left)); + assert!(v[out] <= buf.index(left)); + assert!(out <= start || v[out - 1] <= v[out]); right += 1; + assert!(v[out] == v[right - 1]); + assert!(!(right >= mid && right < end) || v[right - 1] <= v[right]); + assert!(!(right >= mid && right < end) || v[out] <= v[right]); } else { + // assert!(right <= mid || v[right - 1] <= v[out - 1]); + // assert!(right <= mid || v[out - 1] <= buf.index(left)); + // assert!(right <= mid || v[right - 1] <= buf.index(left)); + assert!(out == start || v[out - 1] <= buf.index(left)); v[out] = buf.index(left); + assert!(out == start || v[out - 1] <= v[out]); + assert!(v[out] == buf.index(left) && buf.index(left) <= v[right]); + assert!(v[out] <= v[right]); left += 1; + assert!(v[out] == buf.index(left - 1)); + assert!(left >= buf.len() || buf.index(left - 1) <= buf.index(left)); + assert!(left >= buf.len() || v[out] <= buf.index(left)); } out += 1; } - assert!(out == mid); + assert!(out == start + left + right - mid); assert!(v.len() == len); - - while left < mid { + assert!(left >= buf.len() || v[out - 1] <= buf.index(left)); + + while left < buf.len() { body_invariant!(v.len() == len); - body_invariant!(left < mid); - body_invariant!(v.len() - out >= mid - left); - body_invariant!(out < v.len()); - - body_invariant!(left < mid); - body_invariant!(buf.len() == mid); + body_invariant!(buf.len() == mid - start); body_invariant!(left < buf.len()); + body_invariant!(left < mid - start); - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < out ==> v[x] <= v[y])); - // body_invariant!(forall(|x: usize, y: usize| right <= x && x <= y && y < len ==> v[x] <= v[y])); // we can remove this + body_invariant!(out > start); + body_invariant!(out == start + left + right - mid); + // body_invariant!(left < mid - start); + body_invariant!(out < right); + body_invariant!(right == end); + body_invariant!(out < end); + + // body_invariant!(end - out >= (mid - start) - left); + // body_invariant!(end - out >= buf.len() - left); + + body_invariant!(forall(|x: usize, y: usize| start <= x && x <= y && y < out ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < buf.len() ==> buf.index(x) <= buf.index(y))); + body_invariant!(v[out - 1] <= buf.index(left)); v[out] = buf.index(left); + // assert!(v[out] == buf.index(left)); + // assert!(v[out - 1] <= buf.index(left)); + assert!(v[out - 1] <= v[out]); out += 1; left += 1; + assert!(v[out - 1] == buf.index(left - 1)); + assert!(left >= buf.len() || buf.index(left - 1) <= buf.index(left)); + assert!(left >= buf.len() || v[out - 1] <= buf.index(left)); } - - assert!(out == right); - let mut u = 0; - while u < len { - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); - u += 1; - } - + assert!(out == right); assert!(v.len() == len); } else { let mut i = mid; - while i < len { + while i < end { body_invariant!(v.len() == len); - body_invariant!(i >= mid && i < len); + body_invariant!(i >= mid && i < end); body_invariant!(buf.len() == i - mid); - body_invariant!(buf.len() < len - mid); - buf.push(v[i]); + body_invariant!(buf.len() < end - mid); + body_invariant!(forall(|x: usize| mid <= x && x < i ==> buf.index(x - mid) == v[x])); + body_invariant!(forall(|x: usize, y: usize| mid <= x && x <= y && y < i ==> buf.index(x - mid) <= buf.index(y - mid))); + body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < buf.len() ==> buf.index(x) <= buf.index(y))); + + buf.push(&v, i, mid); i += 1; - assert!(buf.len() <= len - mid); + assert!(buf.len() <= end - mid); } - assert!(buf.len() == len - mid); + assert!(buf.len() == end - mid); let mut left = mid; - let mut right = len - mid; - let mut out = len; + let mut right = end - mid; + let mut out = end; - while left > 0 && right > 0 { + while left > start && right > 0 { body_invariant!(v.len() == len); - body_invariant!(left >= 1); - body_invariant!(mid <= v.len()); - body_invariant!(left <= mid); - body_invariant!(left <= v.len()); + body_invariant!(left > start && left <= mid); + body_invariant!(right < end - mid); + body_invariant!(buf.len() == len - mid); + body_invariant!(right < buf.len()); - body_invariant!(right >= 1); - body_invariant!(right <= len - mid); - body_invariant!(right <= buf.len()); - - body_invariant!(out <= v.len()); - body_invariant!(left + right > 0); + body_invariant!(out <= end); + body_invariant!(left + right - start> 0); body_invariant!(out == left + right); - body_invariant!(out > 0); + body_invariant!(out > start); // body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); @@ -237,35 +297,28 @@ fn merge(v_full: &mut [i32], start: usize, mid_full: usize, end: usize, buf: &mu } } - assert!(out == mid); + assert!(out == left + right); assert!(v.len() == len); + while right > 0 { body_invariant!(v.len() == len); - body_invariant!(right >= 1); + body_invariant!(right > start); - body_invariant!(right <= len - mid); - body_invariant!(right <= buf.len()); - - body_invariant!(right <= len); - body_invariant!(right <= v.len()); - + body_invariant!(right < end - mid); + body_invariant!(right < buf.len()); + body_invariant!(right <= end); + // body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < left ==> v[x] <= v[y])); // we can remove this // body_invariant!(forall(|x: usize, y: usize| out <= x && x <= y && y < len ==> v[x] <= v[y])); // we can remove this right -= 1; - v[right] = buf.index(right); + out -= 1; + v[out] = buf.index(right); } assert!(out == left); - - let mut u = 0; - while u < len { - body_invariant!(forall(|x: usize, y: usize| 0 <= x && x <= y && y < u ==> v[x] <= v[y])); - u += 1; - } - assert!(v.len() == len); } } @@ -415,8 +468,10 @@ impl Runs { } } +#[requires(runs.len() > 0)] #[requires(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max())))] #[ensures(result == runs.len() || (runs.len() > 1 && result < runs.len() - 1))] +#[ensures(runs.len() > 0)] #[ensures(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || result == runs.len() - 2))] fn collapse(runs: &Runs) -> usize { let n = runs.len(); @@ -472,6 +527,48 @@ fn sort_small_array(v: &mut [i32]) { } } +#[trusted] +#[requires(start < end && end <= v.len())] +#[requires(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] >= v[y]))] +#[ensures(v.len() == old(v.len()))] +#[ensures(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y]))] +fn reverse_sorted_array_slice(v: &mut [i32], start: usize, end: usize) { + let len = v.len(); + assert!(v.len() == len); + + let mut i = start; + let mut j = end - 1; + assert!(i <= j); + + while i < j { + body_invariant!(v.len() == len); + + body_invariant!(start <= i); + body_invariant!(j < end); + body_invariant!(i < j); + body_invariant!(i < v.len() && j < v.len()); + + body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y <= j) ==> v[x] >= v[y])); + body_invariant!(forall(|x: usize| (start <= x && x < i) ==> v[j] >= v[x])); + body_invariant!(forall(|x: usize| (j < x && x < end) ==> v[i] <= v[x])); + body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < i) ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| (j < x && x <= y && y < end) ==> v[x] <= v[y])); + + assert!(v[i] >= v[j]); + + let temp = v[i]; + v[i] = v[j]; + v[j] = temp; + + assert!(v[i] <= v[j]); + + i += 1; + j -= 1; + } + + assert!(i == j || j == i - 1); + assert!(v.len() == len); +} // the last pre and post conditions are not proved inside the function yet #[trusted] @@ -513,25 +610,24 @@ fn sort_small_array(v: &mut [i32]) { fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) -> usize { let mut start = end - 1; assert!(start < end); - - let mut u = 0; - while u < runs.len() { - body_invariant!(u < runs.len()); - body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < 0 && runs.index_len(i) <= x && x <= y && y <= runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); - u += 1; - } + // assert!(runs.get_runs_sum_cur() == v.len() - end); + if start > 0 { start -= 1; assert!(start < end - 1); assert!(end <= v.len()); assert!(start < v.len() - 1); + // assert!(runs.get_runs_sum_cur() == v.len() - end); if v[start + 1] < v[start] { assert!(v[start] >= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] >= v[y])); + + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + if !(v[start] < v[start - 1]) { break; } @@ -539,25 +635,17 @@ fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) start -= 1; assert!(v[start] >= v[start + 1]); } - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); - i += 1; - } - v[start..end].reverse(); - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; - } + reverse_sorted_array_slice(v, start, end); } else { assert!(v[start] <= v[start + 1]); while start > 0 { body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && start < v.len() - 1 && start < end); body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); + + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + + if v[start] < v[start - 1] { break; } @@ -565,70 +653,69 @@ fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) start -= 1; assert!(v[start] <= v[start + 1]); } - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] <= v[y])); - i += 1; - } } } + // assert!(runs.get_runs_sum_cur() == v.len() - end); + + assert!(runs.get_runs_sum_max() == v.len()); + assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); assert!(runs.get_runs_sum_cur() == v.len() - end); while start > 0 && end - start < MIN_RUN { - body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); + // body_invariant!(runs.get_runs_sum_cur() == v.len() - end); body_invariant!(start >= 1 && end <= v.len() && start < end); body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y < end) ==> v[x] <= v[y])); + // assert!(runs.get_runs_sum_max() == v.len()); + assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); + assert!(runs.get_runs_sum_cur() == v.len() - end); start -= 1; - insert_head(v, start, end); - } - - let mut i = start; - while i < end { - body_invariant!(i < end); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); - i += 1; + insert_head(v, start, end, &runs); + assert!(runs.get_runs_sum_max() == v.len()); + assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); + assert!(runs.get_runs_sum_cur() == v.len() - end); } + assert!(runs.get_runs_sum_max() == v.len()); + assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); assert!(runs.get_runs_sum_cur() == v.len() - end); - assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); - assert!(start < end); - assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); - - let new_len = end - start; - assert!(new_len > 0); - assert!(start + new_len <= v.len()); - assert!(start + new_len <= runs.get_runs_sum_max()); + // assert!(runs.get_runs_sum_cur() == v.len() - end); - assert!(start + new_len == end); - assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); - - let mut i = start; - while i < start + new_len { - body_invariant!(i < start + new_len); - body_invariant!(forall(|x: usize, y: usize| (start <= x && x <= y && y <= i) ==> v[x] >= v[y])); - i += 1; - } - - // assert!((runs.len() == 0 && end == v.len()) || (runs.len() > 0 && runs.index_start(0) + runs.index_len(0) == v.len())); + // -- HERE + + // assert!(runs.get_runs_sum_cur() == v.len() - end); + // assert!(v.len() - runs.get_runs_sum_cur() == end); + // assert!(v.len() == runs.get_runs_sum_max()); + // assert!(runs.get_runs_sum_max() - runs.get_runs_sum_cur() == end); + + // assert!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + // assert!(start < end); + // assert!(runs.len() == 0 || (runs.index_start(runs.len() - 1) == end && start < runs.index_start(runs.len() - 1))); + + // let new_len = end - start; + // assert!(new_len > 0); + // assert!(start + new_len <= v.len()); + // assert!(start + new_len <= runs.get_runs_sum_max()); + + // assert!(start + new_len == end); + // assert!(runs.len() == 0 || start + new_len == runs.index_start(runs.len() - 1)); - runs.push(start, new_len, &v); + // runs.push(start, new_len, &v); - assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - start); - assert!(runs.get_runs_sum_max() == v.len()); - assert!(runs.get_runs_sum_cur() == v.len() - start); + // assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - start); + // assert!(runs.get_runs_sum_max() == v.len()); + // assert!(runs.get_runs_sum_cur() == v.len() - start); - end = start; + // end = start; - assert!(runs.get_runs_sum_cur() == v.len() - end); + // assert!(runs.get_runs_sum_cur() == v.len() - end); return end; } - #[requires(v.len() <= usize::MAX)] // #[ensures(forall(|x: usize, y: usize| ((0 <= x && x <= y && y < v.len()) ==> v[x] <= v[y])))] fn merge_sort(v: &mut [i32]) { @@ -677,125 +764,125 @@ fn merge_sort(v: &mut [i32]) { assert!(end >= 1 && end <= v.len()); end = push_new_run(v, &mut runs, end, MIN_RUN_COPY); - // assert!(runs.get_runs_sum_cur() == v.len() - end); - // assert!(runs.get_runs_sum_max() == v.len()); + assert!(runs.get_runs_sum_cur() == v.len() - end); + assert!(runs.get_runs_sum_max() == v.len()); - // assert!(runs.len() > 0); - // assert!(runs.index_start(runs.len() - 1) == end); + assert!(runs.len() > 0); + assert!(runs.index_start(runs.len() - 1) == end); - // assert!(runs.index_start(0) + runs.index_len(0) == v.len()); + assert!(runs.index_start(0) + runs.index_len(0) == v.len()); // let length = runs.len(); - assert!(runs.len() > 0); + // assert!(runs.len() > 0); loop { body_invariant!(runs.len() > 0); - // body_invariant!(buf.len() == 0); - // body_invariant!(runs.get_runs_sum_max() == v.len()); - // body_invariant!(runs.get_runs_sum_cur() == v.len() - end); - // body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); - // body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); - // body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); - // body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); - // body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); - // //edit here, remove runs.len() == 0 ??? - // body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); - // body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); - // body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); - - // body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + body_invariant!(buf.len() == 0); + body_invariant!(runs.get_runs_sum_max() == v.len()); + body_invariant!(runs.get_runs_sum_cur() == v.len() - end); + body_invariant!(runs.get_runs_sum_cur() <= runs.get_runs_sum_max()); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) <= runs.get_runs_sum_cur()))); + body_invariant!(forall(|i: usize, j: usize| (0 <= i && i < runs.len() && i < j && j < runs.len() ==> runs.index_len(i) + runs.index_len(j) <= runs.get_runs_sum_max()))); + body_invariant!(forall(|i: usize| (0 <= i && i < runs.len() ==> runs.index_len(i) + runs.index_start(i) <= runs.get_runs_sum_max()))); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| (0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(i) > runs.index_start(j)))); + //edit here, remove runs.len() == 0 ??? + body_invariant!(runs.len() == 0 || runs.index_start(runs.len() - 1) == runs.get_runs_sum_max() - runs.get_runs_sum_cur()); + body_invariant!(runs.len() < 2 || forall(|i: usize, j: usize| 0 <= i && i < (runs.len() - 1) && j == i + 1 ==> runs.index_start(j) + runs.index_len(j) == runs.index_start(i))); + body_invariant!(forall(|i: usize| 0 <= i && i < runs.len() ==> runs.index_len(i) > 0)); + + body_invariant!(forall(|i: usize, x: usize, y: usize| (0 <= i && i < runs.len() && runs.index_start(i) <= x && x <= y && y < runs.index_start(i) + runs.index_len(i)) ==> v[x] <= v[y])); + body_invariant!(runs.index_start(runs.len() - 1) == end); - break; - // body_invariant!(runs.index_start(runs.len() - 1) == end); - - // body_invariant!(runs.index_start(0) + runs.index_len(0) == v.len()); + body_invariant!(runs.index_start(0) + runs.index_len(0) == v.len()); - // let r = collapse(&runs); - // assert!(runs.len() > 0); - // assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); - // assert!(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || r == runs.len() - 2)); + let r = collapse(&runs); + assert!(runs.len() > 0); + + + assert!(r == runs.len() || (runs.len() > 1 && r < runs.len() - 1)); + assert!(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || r == runs.len() - 2)); - // assert!(runs.index_start(runs.len() - 1) != 0 || (runs.len() < 2 || r == runs.len() - 2)); - // // assert!(runs.index_start(runs.len() - 1) == end); - // assert!(end != 0 || (runs.len() < 2 || r == runs.len() - 2)); + assert!(runs.index_start(runs.len() - 1) != 0 || (runs.len() < 2 || r == runs.len() - 2)); + assert!(runs.index_start(runs.len() - 1) == end); + assert!(end != 0 || (runs.len() < 2 || r == runs.len() - 2)); + - // if r == runs.len() { - // assert!(runs.len() > 0); + // assert!(runs.len() > 0); + if r == runs.len() { + assert!(runs.len() > 0); - // assert!(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || r == runs.len() - 2)); - // assert!(r == runs.len()); - // // assert!(r != runs.len() - 2); - // assert!(runs.len() < 2 || runs.index_start(runs.len() - 1) != 0); - - // // // assert!(end == 0); - // // // assert!(runs.index_start(runs.len() - 1) == end); - // // // assert!(runs.index_start(runs.len() - 1) == 0); + assert!(runs.len() < 2 || (runs.index_start(runs.len() - 1) != 0 || r == runs.len() - 2)); + assert!(r == runs.len()); + // assert!(r != runs.len() - 2); + assert!(runs.len() < 2 || runs.index_start(runs.len() - 1) != 0); + + // // assert!(end == 0); + // // assert!(runs.index_start(runs.len() - 1) == end); + // // assert!(runs.index_start(runs.len() - 1) == 0); - // // // assert!(runs.len() < 2); - // // // assert!(runs.len() == 1); - - // break; - // } else { - // break; - // } - // assert!(runs.len() > 1 && r < runs.len() - 1); - // assert!(runs.len() > 1); - - // let left_start = runs.index_start(r + 1); - // let left_len = runs.index_len(r + 1); - // let right_start = runs.index_start(r); - // let right_len = runs.index_len(r); + // // assert!(runs.len() < 2); + // // assert!(runs.len() == 1); + + break; + } else { + assert!(runs.len() > 1 && r < runs.len() - 1); + assert!(runs.len() > 1); + + let left_start = runs.index_start(r + 1); + let left_len = runs.index_len(r + 1); + let right_start = runs.index_start(r); + let right_len = runs.index_len(r); - // // working - // assert!(left_start < right_start); - // assert!(right_start + right_len <= runs.get_runs_sum_max()); - // assert!(right_start + right_len <= v.len()); + // working + assert!(left_start < right_start); + assert!(right_start + right_len <= runs.get_runs_sum_max()); + assert!(right_start + right_len <= v.len()); - // assert!(left_start + left_len == right_start); + assert!(left_start + left_len == right_start); - // // not working - // assert!(right_len > 0); - // assert!(left_start + left_len < right_start + right_len); + // not working + assert!(right_len > 0); + assert!(left_start + left_len < right_start + right_len); - // // merge requires - // // 1) v[left.start..left.start+left.len] is sorted - // // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted + // merge requires + // 1) v[left.start..left.start+left.len] is sorted + // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted - // merge(v, left_start, left_start + left_len, right_start + right_len, &mut buf, &runs); + merge(v, left_start, left_start + left_len, right_start + right_len, &mut buf, &runs); - // // merge ensures - // // 1) v[left.start..left.start+left.len] is sorted - // // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted - // // 3) v[left.start..right.start+right.len] is sorted + // merge ensures + // 1) v[left.start..left.start+left.len] is sorted + // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted + // 3) v[left.start..right.start+right.len] is sorted - // buf = Buf::new(len / 2); - // assert!(buf.len() == 0); + buf = Buf::new(len / 2); + assert!(buf.len() == 0); - // // assert!(runs.len() > 1); - // runs.merge(r, &v); - // assert!(runs.len() > 0); - // } - // assert!(runs.len() > 0); + // assert!(runs.len() > 1); + runs.merge(r, &v); + assert!(runs.len() > 0); + } + assert!(runs.len() > 0); } // assert!(runs.len() > 0); // assert!(end != 0 || runs.len() == 1); } - assert!(runs.get_runs_sum_cur() == v.len()); - assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max()); + // assert!(runs.get_runs_sum_cur() == v.len()); + // assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max()); - assert!(runs.len() > 0); - // assert!(runs.len() == 1); - assert!(runs.index_start(0) + runs.index_len(0) == v.len()); + // assert!(runs.len() > 0); + // // assert!(runs.len() == 1); + // assert!(runs.index_start(0) + runs.index_len(0) == v.len()); - assert!(end == 0); - assert!(runs.index_start(runs.len() - 1) == end); - assert!(runs.index_start(runs.len() - 1) == 0); + // assert!(end == 0); + // assert!(runs.index_start(runs.len() - 1) == end); + // assert!(runs.index_start(runs.len() - 1) == 0); //debug_assert!(runs.len() == 1 && runs.index(0).start == 0 && runs.index(0).len == len); } From c6d6285af0f2d58a88724c5af4572c2f9b7c9835 Mon Sep 17 00:00:00 2001 From: Omar Tarek Date: Tue, 12 Jul 2022 20:09:36 +0100 Subject: [PATCH 14/14] fix compilation error --- .../verifying_tim_sort/src/main.rs | 57 ++++++++++++++++++- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs index 6aad2b9121f..d4c233c0224 100644 --- a/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs +++ b/prusti-tests/tests/cargo_verify/verifying_tim_sort/src/main.rs @@ -24,6 +24,59 @@ pub fn main() { #[ensures(v.len() == runs.get_runs_sum_max())] #[ensures(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end_index)] #[ensures(runs.get_runs_sum_cur() == v.len() - end_index)] +fn insert_head_for_push_new_run(v: &mut [i32], start_index: usize, end_index: usize, runs: &Runs) { + let len = v.len(); + + assert!(start_index < end_index - 1); + if v[start_index + 1] < v[start_index] { + let tmp = v[start_index]; + v[start_index] = v[start_index + 1]; + let mut i = start_index + 2; + + assert!(v[start_index] <= v[start_index + 1]); + assert!(tmp >= v[start_index]); + assert!(tmp >= v[start_index + 1]); + + while i < end_index { + body_invariant!(v.len() == len); + + body_invariant!(i >= start_index + 2 && i < end_index); + body_invariant!(end_index <= v.len()); + body_invariant!(i < v.len()); + + body_invariant!(tmp >= v[i - 1]); + body_invariant!(v[i - 2] == v[i - 1]); + // body_invariant!(forall(|x: usize, y: usize| (i <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + // body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y <= i) ==> v[x] <= v[y])); + body_invariant!(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < end_index) ==> v[x] <= v[y])); + + if v[i] >= tmp { + assert!(tmp >= v[i - 2]); + v[i - 1] = tmp; + assert!(v[i - 2] <= v[i - 1] && v[i - 1] <= v[i]); + break; + } + assert!(tmp > v[i]); + + assert!(v[i - 1] <= v[i]); + assert!(v[i - 2] <= v[i - 1]); + v[i - 1] = v[i]; + assert!(v[i - 2] <= v[i - 1] && v[i - 1] <= v[i]); + + i += 1; + } + v[i - 1] = tmp; + } +} + +#[trusted] +#[requires(v.len() > 1)] +#[requires(start_index < end_index - 1)] +#[requires(end_index > 1 && end_index <= v.len())] +#[requires(forall(|x: usize, y: usize| (start_index + 1 <= x && x <= y && y < end_index) ==> v[x] <= v[y]))] + +#[ensures(v.len() == old(v.len()))] +#[ensures(forall(|x: usize, y: usize| (start_index <= x && x <= y && y < end_index) ==> v[x] <= v[y]))] fn insert_head(v: &mut [i32], start_index: usize, end_index: usize) { let len = v.len(); @@ -672,7 +725,7 @@ fn push_new_run(v: &mut [i32], runs: &mut Runs, mut end: usize, MIN_RUN: usize) assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); assert!(runs.get_runs_sum_cur() == v.len() - end); start -= 1; - insert_head(v, start, end, &runs); + insert_head_for_push_new_run(v, start, end, &runs); assert!(runs.get_runs_sum_max() == v.len()); assert!(runs.get_runs_sum_cur() == runs.get_runs_sum_max() - end); assert!(runs.get_runs_sum_cur() == v.len() - end); @@ -852,7 +905,7 @@ fn merge_sort(v: &mut [i32]) { // 1) v[left.start..left.start+left.len] is sorted // 2) v[right.start(=left.start+left.len)..right.start+right.len] is sorted - merge(v, left_start, left_start + left_len, right_start + right_len, &mut buf, &runs); + merge(v, left_start, left_start + left_len, right_start + right_len, &mut buf); // merge ensures // 1) v[left.start..left.start+left.len] is sorted