Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Functional Programming

Exercises_Lists

advertisement 
Functional programming in Dafny
Exercise: List Functions
Will Sonnex and Sophia Drossopoulou
Aims: In this exercise the students will practice proving simple inductive properties of recursive
functions. The students will also “check” assertions, .e., they will be given some assertion, and they
will have to either find a counterexample, or prove the assertion. They will also be asked to write a
function which satisfies some given properties.
Start by opening the provided “List.dfy”, Observe the four given function definitions, and the
properties we have expressed about them. Make sure this file can be verified by Dafny before
proceeding.
datatype list<T> = Nil | Cons(T, list<T>);
// appends two lists
function app(xs: list, ys: list): list
// the length of the given list
function len (xs: list): nat
// "n" is an element of list "xs"
predicate elem<T> (n: T, xs: list<T>)
// reverses the list “xs”
function rev(xs: list):list
Question 1
Define a function “del”:
function del<T>(n: T, xs: list<T>): list<T>
{
…
}
such that the following three properties hold:
1. ∀๐‘›: ๐‘‡, ๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ¬๐‘’๐‘™๐‘’๐‘š(๐‘›, ๐‘ฅ๐‘ ) โŸน ๐‘‘๐‘’๐‘™(๐‘›, ๐‘ฅ๐‘ ) = ๐‘ฅ๐‘ 
2. ∀๐‘›: ๐‘‡, ๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ¬๐‘’๐‘™๐‘’๐‘š(๐‘›, ๐‘‘๐‘’๐‘™(๐‘›, ๐‘ฅ๐‘ ))
3. ∀๐‘›: ๐‘‡, ๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩, ๐‘ฆ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ๐‘‘๐‘’๐‘™(๐‘›, ๐‘ฅ๐‘  โงบ ys) = ๐‘‘๐‘’๐‘™(๐‘›, ๐‘ฅ๐‘ ) โงบ ๐‘‘๐‘’๐‘™(๐‘›, ๐‘ฆ๐‘ )
Write the body of the function del, and then express the three properties from above as ghost
methods. Start by giving these methods the empty body, and then write out the Dafny proofs for
these methods.
Hint: Property 1
can be expressed as:
ghost method prop_del_notelem<T>(n: T, xs: list<T>)
requires !elem(n, xs);
ensures del(n, xs) == xs;
Question 2
Modify your definition for “del” to give a function “del1” :
function del1<T>(n: T, xs: list<T>): list<T>
{
…
}
such that the following three properties hold:
1. ∀๐‘›: ๐‘‡, ๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ¬๐‘’๐‘™๐‘’๐‘š(๐‘›, ๐‘ฅ๐‘ ) โŸน ๐‘‘๐‘’๐‘™1(๐‘›, ๐‘ฅ๐‘ ) = ๐‘ฅ๐‘ 
2. ∀๐‘›: ๐‘‡, ๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ๐‘’๐‘™๐‘’๐‘š(๐‘›, ๐‘ฅ๐‘ ) โŸน ๐‘™๐‘’๐‘›(๐‘ฅ๐‘ ) = 1 + ๐‘™๐‘’๐‘›(๐‘‘๐‘’๐‘™1(๐‘›, ๐‘ฅ๐‘ ))
3. ∀๐‘›: ๐‘‡, ๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ๐‘’๐‘™๐‘’๐‘š(๐‘›, ๐‘ฅ๐‘ ) โŸน ๐‘‘๐‘’๐‘™1(๐‘›, ๐‘ฅ๐‘ ) โงบ ๐‘ฆ๐‘  = ๐‘‘๐‘’๐‘™1(๐‘›, ๐‘ฅ๐‘  โงบ ๐‘ฆ๐‘ )
As in the first Question, write the body of the function del1, and then express the three properties
from above as ghost methods. Start by giving these methods the empty body, and if necessary, write
out the Dafny proofs for these methods.
Hint: Compare the three properties from Question1 and Question 2, to find the difference between
del and del1.
Question 3
Read the definition of the function count and the definition of rev. The function count satisfies the
following two properties:
1. ∀๐‘ฅ๐‘ , ๐‘ฆ๐‘ , ๐‘ฅ. ๐‘๐‘œ๐‘ข๐‘›๐‘ก(๐‘ฅ, ๐‘ฅ๐‘ ) + ๐‘๐‘œ๐‘ข๐‘›๐‘ก(๐‘ฅ, ๐‘ฆ๐‘ ) = ๐‘๐‘œ๐‘ข๐‘›๐‘ก(๐‘ฅ, ๐‘Ž๐‘๐‘(๐‘ฅ๐‘ , ๐‘ฆ๐‘ ))
2. ∀๐‘ฅ๐‘ , ๐‘ฅ. ๐‘๐‘œ๐‘ข๐‘›๐‘ก(๐‘ฅ, ๐‘ฅ๐‘ ) = ๐‘๐‘œ๐‘ข๐‘›๐‘ก(๐‘ฅ, ๐‘Ÿ๐‘’๐‘ฃ(๐‘ฅ๐‘ ))
Prove in Dafny that count satisfies these properties. For the second property, you will need to use
some of the properties proven earlier.
Unfortunately these two properties are also fulfilled by dud_count, defined as follows:
function dud_count<T>(n: T, xs: list<T>): nat { 0 }
Prove in Dafny that dud_count satisfies these properties.
Write a property P which count fulfils but dud_count does not (don not just restate the definition of
count). Verify in Dafny that count satisfies P, and dud_count does not.
Question 4
Prove that the following holds for “rev”:
∀๐‘ฅ๐‘ , ๐‘ฆ๐‘ . ๐‘Ÿ๐‘’๐‘ฃ(๐‘ฅ๐‘  โงบ ys) = ๐‘Ÿ๐‘’๐‘ฃ ๐‘ฆ๐‘  โงบ ๐‘Ÿ๐‘’๐‘ฃ ๐‘ฅ๐‘ 
ghost method prop_rev_app(xs: list, ys: list)
ensures rev(app(xs, ys)) == app(rev(ys), rev(xs));
You may need to use some of the properties already defined and proven earlier.
Question 5
Use the property you proved in the previous question to verify the following property of “rev”:
∀๐‘ฅ๐‘ . ๐‘Ÿ๐‘’๐‘ฃ (๐‘Ÿ๐‘’๐‘ฃ ๐‘ฅ๐‘ ) = ๐‘ฅ๐‘ 
Question 6
Write a function which does list indexing in Dafny, with the following signature:
function nth<T>(n: nat, xs: list<T>): T
This should return the n-th element of the list. Remember that all functions in Dafny must
terminate, so you may have to add pre-conditions.
We now have a “safe” list indexing function, something that is impossible in Haskell (and most
other programming languages).
Question 7
In this question we will prove equivalence between our existing reverse function, and a faster tailrecursive version which uses accumulators called “itrev”.
Here is the definition of itrev, which you should enter into your Dafny code:
function itrev(xs: list, ys: list): list
{
match xs
case Nil => ys
case Cons(x, xs') => itrev(xs', Cons(x, ys))
}
Prove the following property about itrev in Dafny:
∀๐‘ฅ๐‘ : ๐‘™๐‘–๐‘ ๐‘ก⟨๐‘‡⟩. ๐‘–๐‘ก๐‘Ÿ๐‘’๐‘ฃ(๐‘ฅ๐‘ , ๐‘๐‘–๐‘™) = ๐‘Ÿ๐‘’๐‘ฃ(๐‘ฅ๐‘ )
Hint: You will need to define and prove an auxiliary lemma, and you will need to use some of the
lemmas we have already proven,
Sample Answers
In the file List_SA.dfy.,
Related documents
Exercises_Change
Exercises_Change
Exercises_Insertion_Sort
Exercises_Insertion_Sort
rq3-dafny - School of Computer Science
rq3-dafny - School of Computer Science
Care Coordination Plus Referral Form
Care Coordination Plus Referral Form
README
README
timeline - South OC
timeline - South OC
some hints for Exercises 3.4
some hints for Exercises 3.4
Rev K12 Review
Rev K12 Review
Poetry
Poetry
Exercises_Max_And_Product
Exercises_Max_And_Product
Lectures
Lectures
GOVERNMENT OF KARNATAKA DEPARTMENT OF
GOVERNMENT OF KARNATAKA DEPARTMENT OF
Download
advertisement