InductionHypothesisPrecondition1

Author: stefan-aws

audit.log

@@ -48,5 +48,5 @@ src/ProbabilisticProgramming/RandomSource.dfy(61,17): MeasureHeadDrop: Declarati
 src/ProbabilisticProgramming/RandomSource.dfy(67,17): TailIsMeasurePreserving: Declaration has explicit `{:axiom}` attribute. 
 src/Util/FisherYates/Correctness.dfy(104,8): CorrectnessFisherYatesUniqueElementsGeneral: Definition has `assume {:axiom}` statement in body. 
 src/Util/FisherYates/Correctness.dfy(113,12): CorrectnessFisherYatesUniqueElementsGeneral: Definition has `assume {:axiom}` statement in body. 
-src/Util/FisherYates/Correctness.dfy(208,8): CorrectnessFisherYatesUniqueElementsGeneral: Definition has `assume {:axiom}` statement in body. 
-src/Util/FisherYates/Correctness.dfy(218,8): CorrectnessFisherYatesUniqueElementsGeneral: Definition has `assume {:axiom}` statement in body. 
+src/Util/FisherYates/Correctness.dfy(147,8): CorrectnessFisherYatesUniqueElementsGeneral: Definition has `assume {:axiom}` statement in body. 
+src/Util/FisherYates/Correctness.dfy(157,8): CorrectnessFisherYatesUniqueElementsGeneral: Definition has `assume {:axiom}` statement in body. 

src/Util/FisherYates/Correctness.dfy

@@ -140,68 +140,7 @@ module FisherYates.Correctness {
             } */
           }
         }
-        assert multiset(ys[i+1..]) == multiset(p[i+1..]) by {
-          if j == i {
-            calc {
-              multiset(ys[i+1..]);
-              { assert ys[i+1..] == xs[i+1..] by { assert xs == ys; } }
-              multiset(xs[i+1..]);
-              { MultisetOfSequence(xs, i, i+1); }
-              multiset(xs[i..]) - multiset(xs[i..i+1]);
-              { assert xs[i..i+1] == [xs[i]]; }
-              multiset(xs[i..]) - multiset([xs[i]]);
-              { assert multiset(xs[i..]) == multiset(p[i..]); assert xs[i] == xs[j] by { assert i == j; } }
-              multiset(p[i..]) - multiset([xs[j]]);
-              { assert multiset([xs[j]]) == multiset([p[i]]) by { assert j in A; assert xs[j] == p[i]; } }
-              multiset(p[i..]) - multiset([p[i]]);
-              { assert multiset([p[i]]) == multiset(p[i..i+1]) by { assert [p[i]] == p[i..i+1]; } }
-              multiset(p[i..]) - multiset(p[i..i+1]);
-              { assert |p| == |xs|; MultisetOfSequence(p, i, i+1); }
-              multiset(p[i+1..]);
-            }
-          } else {
-            assert i+1 <= j by {
-              assert i <= j;
-              assert i != j;
-              assert i < j;
-            }
-            assert |xs| > j;
-            assert |xs| == |ys|;
-            calc {
-              multiset(ys[i+1..]);
-              { assert i+1 <= j; assert ys[i+1..] == ys[i+1..j] + ys[j..]; }
-              multiset(ys[i+1..j] + ys[j..]);
-              { assert ys[j..] == [ys[j]] + ys[j+1..]; }
-              multiset(ys[i+1..j] + [ys[j]] + ys[j+1..]);
-              { assert ys[i+1..j] == xs[i+1..j];}
-              multiset(xs[i+1..j] + [ys[j]] + ys[j+1..]);
-              { assert ys[j] == xs[i]; }
-              multiset(xs[i+1..j] + [xs[i]] + ys[j+1..]);
-              { assert ys[j+1..] == xs[j+1..]; }
-              multiset(xs[i+1..j] + [xs[i]] + xs[j+1..]);
-              { assert multiset([xs[j]]) - multiset([xs[j]]) == multiset{}; }
-              multiset(xs[i+1..j] + [xs[i]] + xs[j+1..]) + multiset([xs[j]]) - multiset([xs[j]]);
-              { assert multiset(xs[i+1..j] + [xs[i]] + xs[j+1..]) + multiset([xs[j]]) == multiset(xs[i+1..j] + [xs[i]] + xs[j+1..] + [xs[j]]); }
-              multiset(xs[i+1..j] + [xs[i]] + xs[j+1..] + [xs[j]]) - multiset([xs[j]]);
-              { assert multiset(xs[i+1..j] + [xs[i]] + xs[j+1..] + [xs[j]]) == multiset(xs[i+1..j]) + multiset([xs[i]]) + multiset(xs[j+1..]) + multiset([xs[j]]); }
-              multiset(xs[i+1..j]) + multiset([xs[i]]) + multiset(xs[j+1..]) + multiset([xs[j]]) - multiset([xs[j]]);
-              { assert multiset(xs[i+1..j]) + multiset([xs[i]]) + multiset(xs[j+1..]) + multiset([xs[j]]) == multiset([xs[i]]) + multiset(xs[i+1..j]) + multiset([xs[j]]) + multiset(xs[j+1..]); }
-              multiset([xs[i]]) + multiset(xs[i+1..j]) + multiset([xs[j]]) + multiset(xs[j+1..]) - multiset([xs[j]]);
-              { assert multiset([xs[i]]) + multiset(xs[i+1..j]) + multiset([xs[j]]) + multiset(xs[j+1..]) == multiset([xs[i]] + xs[i+1..j] + [xs[j]] + xs[j+1..]); }
-              multiset([xs[i]] + xs[i+1..j] + [xs[j]] + xs[j+1..]) - multiset([xs[j]]);
-              { assert [xs[i]] + xs[i+1..j] == xs[i..j]; assert [xs[j]] + xs[j+1..] == xs[j..]; }
-              multiset(xs[i..j] + xs[j..]) - multiset([xs[j]]);
-              { assert xs[i..j] + xs[j..] == xs[i..]; }
-              multiset(xs[i..]) - multiset([xs[j]]);
-              { assert multiset(xs[i..]) == multiset(p[i..]); assert j in A; assert xs[j] == p[i]; }
-              multiset(p[i..]) - multiset([p[i]]);
-              { assert [p[i]] == p[i..i+1]; }
-              multiset(p[i..]) - multiset(p[i..i+1]);
-              { assert |p| == |xs|; MultisetOfSequence(p, i, i+1); }
-              multiset(p[i+1..]);
-            }
-          }
-        }
+        InductionHypothesisPrecondition1(xs, ys, p, i, j);
         CorrectnessFisherYatesUniqueElementsGeneral(ys, p, i+1);
       }
       assert DecomposeE: e == Monad.BitstreamsWithValueIn(h, A) * Monad.BitstreamsWithRestIn(h, e') by {
@@ -227,6 +166,79 @@ module FisherYates.Correctness {
     }
   }
 
+  lemma InductionHypothesisPrecondition1<T(!new)>(xs: seq<T>, ys: seq<T>, p: seq<T>, i: nat, j: nat)
+    requires i <= |xs|
+    requires i <= |p|
+    requires forall a, b | i <= a < b < |xs| :: xs[a] != xs[b]
+    requires |xs| == |p|
+    requires multiset(p[i..]) == multiset(xs[i..])
+    requires i <= j < |xs| && xs[j] == p[i]
+    requires ys == Model.Swap(xs, i, j)
+    requires |xs[i..]| > 1
+    ensures multiset(ys[i+1..]) == multiset(p[i+1..])
+  {
+    if j == i {
+      calc {
+        multiset(ys[i+1..]);
+        { assert ys[i+1..] == xs[i+1..] by { assert xs == ys; } }
+        multiset(xs[i+1..]);
+        { MultisetOfSequence(xs, i, i+1); }
+        multiset(xs[i..]) - multiset(xs[i..i+1]);
+        { assert xs[i..i+1] == [xs[i]]; }
+        multiset(xs[i..]) - multiset([xs[i]]);
+        { assert multiset(xs[i..]) == multiset(p[i..]); assert xs[i] == xs[j] by { assert i == j; } }
+        multiset(p[i..]) - multiset([xs[j]]);
+        { assert multiset([xs[j]]) == multiset([p[i]]) by { assert xs[j] == p[i]; } }
+        multiset(p[i..]) - multiset([p[i]]);
+        { assert multiset([p[i]]) == multiset(p[i..i+1]) by { assert [p[i]] == p[i..i+1]; } }
+        multiset(p[i..]) - multiset(p[i..i+1]);
+        { assert |p| == |xs|; MultisetOfSequence(p, i, i+1); }
+        multiset(p[i+1..]);
+      }
+    } else {
+      assert i+1 <= j by {
+        assert i <= j;
+        assert i != j;
+        assert i < j;
+      }
+      assert |xs| > j;
+      assert |xs| == |ys|;
+      calc {
+        multiset(ys[i+1..]);
+        { assert i+1 <= j; assert ys[i+1..] == ys[i+1..j] + ys[j..]; }
+        multiset(ys[i+1..j] + ys[j..]);
+        { assert ys[j..] == [ys[j]] + ys[j+1..]; }
+        multiset(ys[i+1..j] + [ys[j]] + ys[j+1..]);
+        { assert ys[i+1..j] == xs[i+1..j];}
+        multiset(xs[i+1..j] + [ys[j]] + ys[j+1..]);
+        { assert ys[j] == xs[i]; }
+        multiset(xs[i+1..j] + [xs[i]] + ys[j+1..]);
+        { assert ys[j+1..] == xs[j+1..]; }
+        multiset(xs[i+1..j] + [xs[i]] + xs[j+1..]);
+        { assert multiset([xs[j]]) - multiset([xs[j]]) == multiset{}; }
+        multiset(xs[i+1..j] + [xs[i]] + xs[j+1..]) + multiset([xs[j]]) - multiset([xs[j]]);
+        { assert multiset(xs[i+1..j] + [xs[i]] + xs[j+1..]) + multiset([xs[j]]) == multiset(xs[i+1..j] + [xs[i]] + xs[j+1..] + [xs[j]]); }
+        multiset(xs[i+1..j] + [xs[i]] + xs[j+1..] + [xs[j]]) - multiset([xs[j]]);
+        { assert multiset(xs[i+1..j] + [xs[i]] + xs[j+1..] + [xs[j]]) == multiset(xs[i+1..j]) + multiset([xs[i]]) + multiset(xs[j+1..]) + multiset([xs[j]]); }
+        multiset(xs[i+1..j]) + multiset([xs[i]]) + multiset(xs[j+1..]) + multiset([xs[j]]) - multiset([xs[j]]);
+        { assert multiset(xs[i+1..j]) + multiset([xs[i]]) + multiset(xs[j+1..]) + multiset([xs[j]]) == multiset([xs[i]]) + multiset(xs[i+1..j]) + multiset([xs[j]]) + multiset(xs[j+1..]); }
+        multiset([xs[i]]) + multiset(xs[i+1..j]) + multiset([xs[j]]) + multiset(xs[j+1..]) - multiset([xs[j]]);
+        { assert multiset([xs[i]]) + multiset(xs[i+1..j]) + multiset([xs[j]]) + multiset(xs[j+1..]) == multiset([xs[i]] + xs[i+1..j] + [xs[j]] + xs[j+1..]); }
+        multiset([xs[i]] + xs[i+1..j] + [xs[j]] + xs[j+1..]) - multiset([xs[j]]);
+        { assert [xs[i]] + xs[i+1..j] == xs[i..j]; assert [xs[j]] + xs[j+1..] == xs[j..]; }
+        multiset(xs[i..j] + xs[j..]) - multiset([xs[j]]);
+        { assert xs[i..j] + xs[j..] == xs[i..]; }
+        multiset(xs[i..]) - multiset([xs[j]]);
+        { assert multiset(xs[i..]) == multiset(p[i..]); assert xs[j] == p[i]; }
+        multiset(p[i..]) - multiset([p[i]]);
+        { assert [p[i]] == p[i..i+1]; }
+        multiset(p[i..]) - multiset(p[i..i+1]);
+        { assert |p| == |xs|; MultisetOfSequence(p, i, i+1); }
+        multiset(p[i+1..]);
+      }
+    }
+  }
+
   lemma ProbabilityOfE<T(!new)>(xs: seq<T>, p: seq<T>, i: nat, j: nat, h: Monad.Hurd<int>, A: iset<int>, e: iset<Rand.Bitstream>, e': iset<Rand.Bitstream>)
     requires i <= |xs|
     requires i <= |p|