DEVHIDE
Login Or Sign up

Ada GNATprove insints that 1 is not >= 0

251 Views Asked by At

I am trying to prove, that my algorithm for finding second largest value in array works as it should. This is my code:

function FindMax2 (V : Vector) return Integer is
    Max : Natural := 0;
    SecondMax : Natural := 0;
begin
    for I in V'Range loop

        pragma Assert
            (Max >= 0 and
            SecondMax >= 0 and
            V(I) > 0);

        if V(I) > Max then
            SecondMax := Max;
            Max := V(I);
        elsif V(I) /= Max and V(I) > SecondMax then
            SecondMax := V(I);
        end if;

        pragma Loop_Invariant
                    (Max > SecondMax and
                    V(I) > 0 and
                    (for all J in V'First .. I => V(J) <= Max));
    end loop;
    return SecondMax;
end FindMax2;

and this are my pre- and postconditions:

package Max2 with SPARK_Mode is

    type Vector is array (Integer range <>) of Positive;

    function FindMax2 (V : Vector) return Integer
    with
        Pre => V'First < Integer'Last and V'Length > 0,
        Post => FindMax2'Result >= 0 and
        (FindMax2'Result = 0 or (for some I in V'Range => FindMax2'Result = V(I))) and
        (if FindMax2'Result /= 0 then (for some I in V'Range => V(I) > FindMax2'Result)) and
        (if FindMax2'Result = 0 then (for all I in V'Range => (for all J in V'Range => V(I) = V(J)))
        else
            (for all I in V'Range => (if V(I) > FindMax2'Result then (for all J in V'Range => V(J) <= V(I)))));
end Max2;

I'm stuck now on this message from GNATprove:

max2.ads:8:17: medium: postcondition might fail (e.g. when FindMax2'Result = 1 and V = (others => 1) and V'First = 0 and V'Last = 0)

If I am not mistaken it is reffering to the first condition about the result being greater or equal to 0, then why does it put 1 as a counter-example? Is there any way I can prove this?

ada proof invariants proof-of-correctness spark-ada
Original Q&A
2

There are 2 best solutions below

0
On

Note that the actual answer was provided by the OP self here. Credits should go there. This is just an addition to my comment on that nice result.

max2.ads

package Max2 with SPARK_Mode is

   type Vector is array (Integer range <>) of Positive;


   function All_Same (V : Vector) return Boolean is
     (for all I in V'Range => (for all J in V'Range => V(I) = V(J)))
     with Ghost;

   function Elem_Of (V : Vector; X : Integer) return Boolean is
      (for some I in V'Range => V (I) = X)
       with Ghost; 

   function Is_Largest (V : Vector; X : Integer) return Boolean is
     (Elem_Of (V, X) and (for all I in V'Range => V (I) <= X))
       with Ghost;

   function Is_Second_Largest (V : Vector; X : Integer) return Boolean is
     (Elem_Of (V, X) and not Is_Largest (V, X) and
          (for all I in V'Range => V(I) <= X or else Is_Largest (V, V (I))))
       with Ghost;

   pragma Annotate (GNATprove, Inline_For_Proof, All_Same);
   pragma Annotate (GNATprove, Inline_For_Proof, Elem_Of);
   pragma Annotate (GNATprove, Inline_For_Proof, Is_Largest);
   pragma Annotate (GNATprove, Inline_For_Proof, Is_Second_Largest);


   procedure FindMax2 (V : Vector; Found : out Boolean; Value : out Natural)
     with Post => (if Found then Is_Second_Largest (V, Value) else All_Same (V));

end Max2;

max2.adb

package body Max2 with SPARK_Mode is
   
   --------------
   -- FindMax2 --
   --------------
   
   procedure FindMax2 
     (V     : in     Vector;
      Found :    out Boolean; 
      Value :    out Natural) 
   is
      L1 : Natural := 0;
      L2 : Natural := 0;
   begin      
      
      if V'Length > 1 then      
         for I in V'Range loop

            if L1 < V(I) then
               L2 := L1;
               L1 := V(I);
            elsif L2 < V(I) and V(I) < L1 then
               L2 := V(I);
            end if;

            pragma Loop_Invariant
              (L2 < L1);
           
            pragma Loop_Invariant
              (L1 = 0 or Elem_Of (V (V'First .. I), L1));
            pragma Loop_Invariant
              (L2 = 0 or Elem_Of (V (V'First .. I), L2));
            
            pragma Loop_Invariant
              (Is_Largest (V (V'First .. I), L1));
                    
            pragma Loop_Invariant
              (if L2 = 0 
               then All_Same (V (V'First .. I))
               else Is_Second_Largest (V (V'First .. I), L2));
         
         end loop;
      end if;
      
      Found := (L2 > 0);
      Value := L2;
      
   end FindMax2;

end Max2;
1
On

I managed to solve my problem. I was wrong about the error message, gnatprove was reffering to the whole post condition statement. If someone is interested in the solution, Iadded a few conditions in the loop invariant

pragma Loop_Invariant
            (Max > SecondMax and
            V(I) > 0 and
            (for all J in V'First .. I => V(J) <= Max) and

            (Max = 0 or (for some J in V'First .. I => Max = V(J))) and
            (SecondMax = 0 or (for some J in V'First .. I => SecondMax = V(J))) and

            (if SecondMax = 0 then (for all J in V'First .. I => (for all K in V'First .. I => V(J) = V(K)))
            else (for all J in V'First .. I => (if V(J) > SecondMax then (for all K in V'First .. I => V(K) <= V(J))))));

Related Questions in ADA

Related Questions in PROOF

Related Questions in INVARIANTS

Related Questions in PROOF-OF-CORRECTNESS

Related Questions in SPARK-ADA

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.