adding Merge Sort and Binary Search

[prvshah51]

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

[robin-aws]

Great start! Here are some top-level suggestions (which will make some of the inline comments I made moot, but I added those anyway just for the sake of learning).

1. This code should be under src rather than examples - the latter is for sample uses of the actual functions/methods. I would suggest src/Collections/Arrays/Arrays.dfy to align with the established layout. The additional total ordering predicates on compare would fit nicely into the existing src/Functions.dfy file.

2. For sorting, I think proving HeapSort correct will take quite a bit of work. Why not steal the MergeSort implementation I did for the report generator instead? https://github.com/dafny-lang/dafny-reportgenerator/blob/main/src/StandardLibrary.dfy#L38 It definitely won't be as efficient given that it creates lots of intermediate subsequences (especially since most runtimes implement that as a copy instead of a reference), but it's already proven correct, and having that sorting algorithm here will still be an improvement over not having any sorting algorithm. :) You'll just have to replace calls to f(x) < f(y) with compare(x, y) just as you already have in BinarySearch.

[robin-aws]

I think it would be better to return an Option<nat> instead, so we don't have to use -1 as a special flag value.

[robin-aws]

Suggested change

	var temp:= a[0];
	a[0]:= a[i];
	a[i]:= temp;
	a[0], a[i] := a[i], a[0];

[robin-aws]

I'd name this HeapSortArray to be more precise, since there are other ways to sort (and may even be more in this repo in the future)

[robin-aws]

You're missing the pre-conditions that ensure compare is a total ordering, which is why some of the assertions about correctness aren't verifying. You should be able to copy them here with proper attribution (I know all of the authors on that file would be happy to have their code in this repo :) - https://github.com/aws/aws-encryption-sdk-dafny/blob/mainline/src/Util/Sorting.dfy#L126-L127

You'll need exactly the same requires clauses on the sorting methods too.

[robin-aws]

This needs to be an ensures instead - it's describing the state of the array AFTER executing the method.

[atomb]

You also probably need a postcondition that the result is sorted.

[atomb]

In order to add SortedBy in a postcondition here, you'll need to export it from the module, as well.

[atomb]

And I think you'll also need these preconditions:

requires StandardLibrary.Transitive(compare)
requires Connected(compare)

[atomb]

Because Sort is a method, you'll need something like result := MergeSortBy(s, compare);.

[atomb]

You might want to do this to allow the array to contain duplicates.

Suggested change

	requires forall i,j :: 0 <= i < j < a.Length ==> compare(a[i], a[j])
	requires forall i,j :: 0 <= i < j < a.Length ==> compare(a[i], a[j]) || a[i] == a[j]

[atomb]

I think this method requires an even more obscure property of the compare function. :)

requires StandardLibrary.Trichotomous(compare)

[atomb]

And it turns out that if you have that precondition you don't need Transitive or Connected.

[atomb]

The way the spec is written right now, this method should return int instead of nat, though making it return Option<nat> might be even nicer, as I mention below.

[atomb]

Looks nice! I just suggested a few small changes for consistency and removal of duplication.

Eventually, I suspect we should split up StandardLibrary.dfy to put some of its contents in the more specialized modules that already exist (and maybe some new ones). For now, though, this at least makes a bunch more definitions available.

[atomb]

Suggested change

	module BinarySearch{
	module BinarySearch {

[atomb]

Suggested change

	predicate Reflexive<T(!new)>(R: (T, T) -> bool) {
	predicate Reflexive<T(!new)>(R: (T, T) -> bool) {

And I'd suggest similar changes throughout this file to ensure the indentation is consistent.

[atomb]

Suggested change

	module sorting{
	module Sorting {

[atomb]

This predicate and a bunch of those after it are duplicated between here and the BinarySearch module. Maybe they should go in StandardLibrary.dfy until we reorganize it to split it up a little more?

[atomb]

This comment probably isn't needed anymore. :)

[atomb]

You'll probably want provides BinarySearch, too, so that people can use it.

[atomb]

It'd be nice to have this indented two spaces to be consistent with the imports above it.

[atomb]

Nicely done!

I believe your comments have been addressed and that you'd prefer to have this merged sooner than later. :)

[robin-aws]

@prvshah51 I've pushed several commits to remove more code we don't need (yet!), and made a few other changes to get it ready to merge IMO:

• After discussion with @atomb I've removed Comparison.dfy and stuck to plain old (T, T) -> bool relations, which simplifies things for now.
• Moved Relations.dfy to the top-level src directory (since we also have Functions.dfy there already)
• Added an example that sorts and then searches, which also revealed that the "sorted" precondition on BinarySearch wasn't correct!

Let me know if you have any concerns, and @atomb / @MikaelMayer I'll leave it to you two to approve since I feel a little biased now that I've thrown my own commits on this. :)

Addressed own suggestions, recusing myself as biased :)

[robin-aws]

@MikaelMayer I just noticed you had some style requests that were lost in the shuffle. I'll respond to the ones I see that still seem relevant, but please just provide a quick comment at the top level if there are others we missed.

Re: the naming convention for predicates, e.g. "IsTotalOrder" instead of "TotalOrder", that's potentially a good idea but the latter convention is already established here in predicates like Functions.Injective. I'd suggest if you still feel strongly about it that you cut a repo issue for discussion, similar to #47.

Re: "lessThan" instead of "less", I don't have a strong opinion so I'd be willing to change it, personally. @prvshah51?

[prvshah51]

Re: "lessThan" instead of "less", I don't have a strong opinion so I'd be willing to change it, personally. @prvshah51?

Both options are fine with me.

[MikaelMayer]

Suggested change

	function method MergeSortBy<T>(a: seq<T>, compare: (T, T) -> bool): (result :seq<T>)
	function method MergeSortBy<T>(a: seq<T>, lessEqThan: (T, T) -> bool): (result :seq<T>)

[atomb]

It's perhaps worth noting that we could change this in the future without breaking client code. I'd maybe prefer lessEq or lessThanOrEq, to avoid the awkward reading of "equal than".

[prvshah51]

Thanks for suggestions , I am changing compare to lessThanOrEq.

[MikaelMayer]

@MikaelMayer I just noticed you had some style requests that were lost in the shuffle. I'll respond to the ones I see that still seem relevant, but please just provide a quick comment at the top level if there are others we missed.

Re: the naming convention for predicates, e.g. "IsTotalOrder" instead of "TotalOrder", that's potentially a good idea but the latter convention is already established here in predicates like Functions.Injective. I'd suggest if you still feel strongly about it that you cut a repo issue for discussion, similar to #47.

Re: "lessThan" instead of "less", I don't have a strong opinion so I'd be willing to change it, personally. @prvshah51?

Could you use the attribute {:options "/functionSyntax:4"} and change all your predicate method to predicate ?

function method {:opaque} Sort(s: seq, compare: (T, T) -> bool)
instead of a method

Add the following comment to MergeSortBy
// Splits a sequence in two, sorts the two subsequences using itself, and merge the two sorted sequences using MergeSortedBy

[robin-aws]

Could you use the attribute {:options "/functionSyntax:4"} and change all your predicate method to predicate ?

function method {:opaque} Sort(s: seq, compare: (T, T) -> bool)
instead of a method

I did that for MergeSort.dfy, but for Relations.dfy SortedBy was the only predicate method, and I actually made that a non-compiled predicate instead like the others. As per my comment on the original version in dafny-reportgenerator:

// TODO: Make this a predicate-by-method so it has linear runtime instead of quadratic.
// For now it's only used at runtime in tests.

This change doesn't need it to be compilable yet so I'd rather address that later.

Add the following comment to MergeSortBy
// Splits a sequence in two, sorts the two subsequences using itself, and merge the two sorted sequences using
MergeSortedBy

It's already there? :)

[robin-aws]

Trying to use {:options "/functionSyntax:4"} ran into what looks like a bug in Dafny 3.5.0 (which this repo is using) that I can't reproduce with the latest. I've reverted it for now and we can come back to that too: #55

[atomb]

This is a nice simplification of the original. :) Ordering continues to be a tricky topic, and I left a couple of comments related to it, though I'm not sure that any of them should hold up merging.

[atomb]

When I commented earlier about defining this for a comparison result data type, @cpitclaudel pointed out very rightly that my first attempt wouldn't work for comparison based on projection (e.g., looking only at the first element of a tuple), and I think this definition suffers from the same problem, using == here. That's not necessarily fatal, but it's something to be aware of.

[atomb]

Ah, but I notice this isn't actually used anywhere at this point. Should we remove it, given that issue?

[robin-aws]

Good point, I'd prefer to remove it too now that it's unused.

[atomb]

This will have the same issue I commented on for Trichotomous, making it impossible to sort by projections. Would it be possible to make the proof go through if we required TotalOrdering instead of StrictTotalOrdering?

[robin-aws]

I attempted that at first, but I was discouraged not only by verification not immediately working, but also the fact that it makes the specification messier as well: instead of

ensures r.Some? ==> r.value < a.Length && a[r.value] == key

You would need

ensures r.Some? ==> r.value < a.Length && lessThanOrEqual(a[r.value], key) && lessThanOrEqual(key, a[r.value])

Which is just plain much harder to read and understand.

I think for that reason, it makes more sense to improve this at the same time that we add comparison functions that return CmpResult instead as per #53.

[MikaelMayer]

I approve but I still don't feel comfortable having a comparison function called twice in a binary search.

[robin-aws]

I approve but I still don't feel comfortable having a comparison function called twice in a binary search.

I definitely don't love it either. Both of these implementations are far from ideal when it comes to efficiency at runtime. I'm personally much more dissatisfied with my own MergeSort here rather than the binary search: it's using s[..1] expressions to recurse, and with the current compilation behavior that involves making a new copy, so the runtime is far worse than log-linear.

This whole repository needs more work to ensure it compiles to efficient-enough code for each supported language (see #24). In fact we're not even guaranteeing it is compilable at all for each target - it doesn't work for Java and hence the existence of https://github.com/dafny-lang/libraries-without-variance.

In general, I consider it good forwards progress to have a verified but inefficient definition of a concept here, since many users can live with the inefficiency in their context. But I'm looking forward to adding a lot of by method's in the future! :)