seng2011/1/ex5.dfy


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

predicate exist1(a: array<int>, x:int) 
    reads a;
{
    multiset(a[..])[x] == 1
}

predicate exist2(a: array<int>, x:int) 
    reads a;
{
    multiset(a[..])[x] >= 2
}

predicate tail(a: array<int>) 
    reads a;
{
    forall i : int :: 0 <= i < a.Length ==> 
        (a[i] != 0 || multiset(a[i..])[0] == a.Length - i)
}

method test1() 
{
    var a := new int[3][1, 2, 2];
    assert a[..] == [1, 2, 2];

    assert !exist1(a, 0);
    assert exist1(a, 1);
    assert !exist1(a, 2);
}

method test2() 
{
    var a := new int[6][1, 2, 2, 3, 3, 3];
    assert a[..] == [1, 2, 2, 3, 3, 3];

    assert !exist2(a, 0);
    assert !exist2(a, 1);
    assert exist2(a, 2);
    assert exist2(a, 3);
}

method test3()
{
    var a := new int[4][1, 2, 3, 0];
    assert a[..] == [1, 2, 3, 0];
    assert tail(a);

    // "no zeros is vacuously true"
    var b := new int[4][1, 2, 3, 4];
    assert b[..] == [1, 2, 3, 4];
    assert tail(b);

    var c := new int[6][1, 2, 3, 0, 5, 6];
    assert c[..] == [1, 2, 3, 0, 5, 6];
    assert c[3..] == [0, 5, 6];
    assert !tail(c);

    var d := new int[6][1, 2, 0, 0, 5, 0];
    assert d[..] == [1, 2, 0, 0, 5, 0];
    assert d[2..] == [0, 0, 5, 0];
    assert !tail(d);
}