diff --git a/src/Collections/Multiset/Multiset.dfy b/src/Collections/Multiset/Multiset.dfy new file mode 100644 index 00000000..88edf33a --- /dev/null +++ b/src/Collections/Multiset/Multiset.dfy @@ -0,0 +1,46 @@ +// RUN: %dafny /compile:0 "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +/******************************************************************************* +* Copyright by the contributors to the Dafny Project +* SPDX-License-Identifier: MIT +*******************************************************************************/ + +module Multiset { + + /* converts a multiset to a set */ + function method {:opaque} ToSet(s: multiset): set + { + set x: T | x in s + } + + /* proves that the cardinality of a multiset is always more than or equal to that + of the conversion to a set */ + lemma LemmaCardinalityOfToSetBound(m: multiset) + ensures |ToSet(m)| <= |m| + { + reveal ToSet(); + if |m| == 0 { + } else { + var x :| x in m; + var xs := multiset{}[x := m[x]]; + assert ToSet(xs) == {x}; + var rest := m - xs; + LemmaCardinalityOfSetBound(rest); + assert ToSet(m) == ToSet(xs) + ToSet(rest); + } + } + + lemma LemmaCardinalityOfSetWithDuplicates(m: multiset, x: T) + requires m[x] > 1 + ensures |ToSet(m)| < |m| + { + reveal ToSet(); + var xs := multiset{}[x := m[x]]; + assert ToSet(xs) == {x}; + var rest := m - xs; + LemmaCardinalityOfSetBound(rest); + assert ToSet(m) == ToSet(xs) + ToSet(rest); + assert |xs| > 1; + } +} diff --git a/src/Collections/Multiset/Multiset.dfy.expect b/src/Collections/Multiset/Multiset.dfy.expect new file mode 100644 index 00000000..ebe2328e --- /dev/null +++ b/src/Collections/Multiset/Multiset.dfy.expect @@ -0,0 +1,2 @@ + +Dafny program verifier finished with 2 verified, 0 errors diff --git a/src/Collections/Sequences/Seq.dfy b/src/Collections/Sequences/Seq.dfy index 060168dd..6f8ab4dd 100644 --- a/src/Collections/Sequences/Seq.dfy +++ b/src/Collections/Sequences/Seq.dfy @@ -766,4 +766,43 @@ module Seq { } } + /* If the multiset of a is a subset of the multiset of b, + * then every item in a is in b. + */ + lemma LemmaMultisetSubsetImpliesSeqMemebership(a: seq, b: seq) + requires multiset(a) <= multiset(b) + ensures forall i | i in a :: i in b + { + if |a| == 0 { + } else { + assert multiset{First(a)} <= multiset(b); + assert First(a) in b; + assert a == [First(a)] + a[1..]; + LemmaMultisetSubsetImpliesSeqMemebership(a[1..], b); + } + } + + /* Every item in the parts to be flattend + * is in the flattened seq. + */ + lemma LemmaFlattenMembership(parts: seq>, flat: seq) + requires Flatten(parts) == flat + ensures forall index + | 0 <= index < |parts| + :: multiset(parts[index]) <= multiset(flat) + ensures multiset(Flatten(parts)) == multiset(flat) + ensures forall part | part in parts + :: (forall i | i in part :: i in flat) + ensures forall i | i in flat + :: (exists part | part in parts :: i in part) + { + if |parts| == 0 { + } else { + assert multiset(First(parts)) <= multiset(flat); + assert parts == [First(parts)] + parts[1..]; + assert flat == First(parts) + Flatten(parts[1..]); + LemmaFlattenMembership(parts[1..], Flatten(parts[1..])); + } + } + } diff --git a/src/Collections/Sequences/Seq.dfy.expect b/src/Collections/Sequences/Seq.dfy.expect index 808136c6..ef71487d 100644 --- a/src/Collections/Sequences/Seq.dfy.expect +++ b/src/Collections/Sequences/Seq.dfy.expect @@ -1,2 +1,2 @@ -Dafny program verifier finished with 71 verified, 0 errors +Dafny program verifier finished with 74 verified, 0 errors