@@ -168,39 +168,8 @@ module FisherYates.Correctness {
168168 var ys := Model. Swap (xs, i, j);
169169 var e' := iset s | Model. Shuffle (ys, i+1)(s). Result? && Model. Shuffle (ys, i+1)(s). value[i+ 1.. ] == p[i+ 1.. ];
170170 assert InductionHypothesis: e' in Rand. eventSpace && Rand. prob (e') == 1. 0 / (NatArith. FactorialTraditional (|xs|-(i+1)) as real ) by {
171- assert multiset (ys[i+1..]) == multiset (p[i+1..]) by {
172- InductionHypothesisPrecondition1 (xs, ys, p, i, j);
173- }
174- assert forall a, b | i+ 1 <= a < b < |ys| :: ys[a] != ys[b] by {
175- InductionHypothesisPrecondition2 (xs, ys, p, i, j);
176- }
177- assert i+ 1 <= |ys| by {
178- calc {
179- i + 1;
180- <
181- |xs|;
182- ==
183- |ys|;
184- }
185- }
186- assert i < |p| by {
187- calc {
188- i;
189- <
190- i+ 1;
191- <
192- |xs|;
193- ==
194- |p|;
195- }
196- }
197- assert |ys| == |p| by {
198- calc {
199- |ys|;
200- |xs|;
201- |p|;
202- }
203- }
171+ InductionHypothesisPrecondition1 (xs, ys, p, i, j);
172+ InductionHypothesisPrecondition2 (xs, ys, p, i, j);
204173 if |ys[i+ 1.. ]| > 1 {
205174 CorrectnessFisherYatesUniqueElementsGeneralGreater1 (ys, p, i+1);
206175 } else {
@@ -246,13 +215,13 @@ module FisherYates.Correctness {
246215 }
247216
248217 lemma DecomposeE< T (!new)> (xs: seq < T> , ys: seq < T> , p: seq < T> , i: nat , j: nat , h: Monad. Hurd< int > , A: iset < int > , e: iset < Rand. Bitstream> , e': iset < Rand. Bitstream> )
249- requires i <= |xs|
250218 requires i <= |p|
251- requires forall a, b | i <= a < b < |xs| :: xs[a] != xs[b]
252219 requires |xs| == |p|
220+ requires |xs|- i > 1
221+ requires i <= |xs|
222+ requires forall a, b | i <= a < b < |xs| :: xs[a] != xs[b]
253223 requires multiset (p[i..]) == multiset (xs[i..])
254224 requires i <= j < |xs| && xs[j] == p[i]
255- requires |xs|- i > 1
256225 requires A == iset j | i <= j < |xs| && xs[j] == p[i]
257226 requires A == iset {j}
258227 requires h == Uniform. Model. IntervalSample (i, |xs|)
0 commit comments