prove pivotsAreCorrectAfterSplit

Travis Hance · Travis Hance · commit 9420f923c31e · 2019-06-07T18:42:51.000-07:00
diff --git a/immutable-btree/BtreeInv.dfy b/immutable-btree/BtreeInv.dfy
@@ -517,20 +517,71 @@ abstract module BtreeInv {
     }
   }
 
+  lemma pivotsAreCorrectAfterSplit(tree: Node, newtree: Node, l: Key, u: Key, childrenToLeft: int, pos: int)
+  requires WFTree(tree);
+  requires SplitTransform(tree, newtree, l, u, childrenToLeft);
+  requires pos == Keyspace.LargestLte(tree.pivots, l) + 1;
+  requires 0 <= pos < |tree.children|;
+  requires tree.children[pos].lb == l;
+  requires tree.children[pos].ub == u;
+  ensures Keyspace.IsStrictlySorted(newtree.pivots);
+  {
+    var child := tree.children[pos];
+    assert |newtree.children| == |tree.children| + 1;
+    var left_child := newtree.children[pos];
+    var right_child := newtree.children[pos+1];
+    assert WFTree(child);
+    if (pos < |tree.pivots|) {
+      if (child.Leaf?) {
+        assert newtree.pivots[pos]
+            == right_child.keys[0]
+            == child.keys[childrenToLeft];
+        assert Keyspace.lt(child.keys[childrenToLeft], child.ub);
+      } else {
+        assert newtree.pivots[pos] == child.pivots[childrenToLeft-1];
+        assert Keyspace.lt(child.pivots[childrenToLeft-1], child.ub);
+      }
+      assert child.ub == tree.pivots[pos];
+      assert Keyspace.lt(newtree.pivots[pos], tree.pivots[pos]);
+    }
+    if (pos > 0) {
+      if (child.Leaf?) {
+        assert Keyspace.lte(child.lb, child.keys[0]);
+        Keyspace.reveal_IsStrictlySorted();
+        assert Keyspace.lt(child.keys[0], child.keys[childrenToLeft]);
+        assert Keyspace.lt(child.lb, child.keys[childrenToLeft]);
+      } else {
+        assert Keyspace.lt(child.lb, child.pivots[childrenToLeft-1]);
+      }
+      assert child.lb == tree.pivots[pos-1];
+      assert Keyspace.lt(tree.pivots[pos-1], newtree.pivots[pos]);
+    }
+    Keyspace.strictlySortedInsert2(tree.pivots, newtree.pivots[pos], pos);
+  }
+
   lemma SplitIsCorrect<Value>(tree: Node, newtree: Node, l: Key, u: Key, childrenToLeft: int)
   requires WFTree(tree);
   requires CantEquivocate(tree);
   requires SplitTransform(tree, newtree, l, u, childrenToLeft);
+  ensures WFTree(newtree);
   ensures PreservesLookups(tree, newtree);
   ensures PreservesLookups(newtree, tree);
-  ensures WFTree(newtree)
-  ensures CantEquivocate(newtree)
-  decreases tree
+  ensures CantEquivocate(newtree);
+  decreases tree;
   {
     var pos := Keyspace.LargestLte(tree.pivots, l) + 1;
     var child := tree.children[pos];
     if (child.lb == l && child.ub == u) {
+      var left_child := newtree.children[pos];
+      var right_child := newtree.children[pos+1];
+      pivotsAreCorrectAfterSplit(tree, newtree, l, u, childrenToLeft, pos);
+      assert WFTree(newtree);
+      assume false;
+      assert PreservesLookups(tree, newtree);
+      assert PreservesLookups(newtree, tree);
+      assert CantEquivocate(newtree);
     } else {
+      assume false;
       // Before we can call Define recursively, we must prove that the child CantEquivocate.
       forall key', valueA, valueB, lookup, lookup'
       |
diff --git a/immutable-btree/BtreeSpec.dfy b/immutable-btree/BtreeSpec.dfy
@@ -27,9 +27,9 @@ abstract module BtreeSpec {
       && CSMap.Keyspace.IsStrictlySorted(tree.keys)
       && |tree.keys| == |tree.values|
       && (forall i :: 0 <= i < |tree.keys| ==>
-          && CSMap.Keyspace.lte(tree.lb, tree.keys[i])
-          && CSMap.Keyspace.lt(tree.keys[i], tree.ub)
-         )
+          && CSMap.Keyspace.lte(tree.lb, tree.keys[i]))
+      && (forall i :: 0 <= i < |tree.keys| ==>
+          && CSMap.Keyspace.lt(tree.keys[i], tree.ub))
     else
       && |tree.pivots| > 0
       && CSMap.Keyspace.IsStrictlySorted(tree.pivots)
@@ -193,7 +193,7 @@ abstract module BtreeSpec {
   {
     && node.lb == left_node.lb
     && left_node.ub == pivot
-    && pivot == right_node.ub
+    && pivot == right_node.lb
     && right_node.ub == node.ub
     && (if node.Leaf? then (
       && left_node.Leaf?
diff --git a/lib/total_order.dfy b/lib/total_order.dfy
@@ -243,6 +243,16 @@ abstract module Total_Order {
     {
     }
   }
+
+  lemma strictlySortedInsert2(l: seq<Element>, k: Element, pos: int)
+  requires 0 <= pos <= |l|;
+  requires 0 < pos ==> lt(l[pos-1], k);
+  requires pos < |l| ==> lt(k, l[pos]);
+  ensures IsStrictlySorted(Seq.insert(l, k, pos));
+  {
+    Seq.reveal_insert();
+    reveal_IsStrictlySorted();
+  }
 }
 
 abstract module Bounded_Total_Order refines Total_Order {

Original file line number	Diff line number	Diff line change
`@@ -243,6 +243,16 @@ abstract module Total_Order {`
`243`	`243`	`{`
`244`	`244`	`}`
`245`	`245`	`}`
	`246`	`+`
	`247`	`+ lemma strictlySortedInsert2(l: seq<Element>, k: Element, pos: int)`
	`248`	`+ requires 0 <= pos <= \|l\|;`
	`249`	`+ requires 0 < pos ==> lt(l[pos-1], k);`
	`250`	`+ requires pos < \|l\| ==> lt(k, l[pos]);`
	`251`	`+ ensures IsStrictlySorted(Seq.insert(l, k, pos));`
	`252`	`+ {`
	`253`	`+ Seq.reveal_insert();`
	`254`	`+ reveal_IsStrictlySorted();`
	`255`	`+ }`
`246`	`256`	`}`
`247`	`257`
`248`	`258`	`abstract module Bounded_Total_Order refines Total_Order {`