1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
/**************************************************************************/
/* */
/* The Why platform for program certification */
/* */
/* Copyright (C) 2002-2011 */
/* */
/* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11 */
/* Claude MARCHE, INRIA & Univ. Paris-sud 11 */
/* Yannick MOY, Univ. Paris-sud 11 */
/* Romain BARDOU, Univ. Paris-sud 11 */
/* */
/* Secondary contributors: */
/* */
/* Thierry HUBERT, Univ. Paris-sud 11 (former Caduceus front-end) */
/* Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa) */
/* Ali AYAD, CNRS & CEA Saclay (floating-point support) */
/* Sylvie BOLDO, INRIA (floating-point support) */
/* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) */
/* Mehdi DOGGUY, Univ. Paris-sud 11 (Why GUI) */
/* */
/* This software is free software; you can redistribute it and/or */
/* modify it under the terms of the GNU Lesser General Public */
/* License version 2.1, with the special exception on linking */
/* described in file LICENSE. */
/* */
/* This software is distributed in the hope that it will be useful, */
/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. */
/* */
/**************************************************************************/
//@+ TerminationPolicy = user
//@+ CheckArithOverflow = no
/*@ predicate Sorted{L}(int a[], integer l, integer h) =
@ \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
@*/
/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
@ \at(a[i],L1) == \at(a[j],L2) &&
@ \at(a[j],L1) == \at(a[i],L2) &&
@ \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
@*/
/*@ axiomatic Permut {
@ predicate Permut{L1,L2}(int a[], integer l, integer h);
@ axiom Permut_refl{L}:
@ \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
@ axiom Permut_sym{L1,L2}:
@ \forall int a[], integer l h;
@ Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
@ axiom Permut_trans{L1,L2,L3}:
@ \forall int a[], integer l h;
@ Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==>
@ Permut{L1,L3}(a, l, h) ;
@ axiom Permut_swap{L1,L2}:
@ \forall int a[], integer l h i j;
@ l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==>
@ Permut{L1,L2}(a, l, h) ;
@ }
@*/
class Sort {
/*@ requires t != null &&
@ 0 <= i < t.length && 0 <= j < t.length;
@ assigns t[i],t[j];
@ ensures Swap{Old,Here}(t,i,j);
@*/
void swap(int t[], int i, int j) {
int tmp = t[i];
t[i] = t[j];
t[j] = tmp;
}
/*@ requires t != null;
@ behavior sorted:
@ ensures Sorted(t,0,t.length-1);
@ behavior permutation:
@ ensures Permut{Old,Here}(t,0,t.length-1);
@*/
void min_sort(int t[]) {
int i,j;
int mi,mv;
/*@ loop_invariant 0 <= i;
@ for sorted:
@ loop_invariant Sorted(t,0,i) &&
@ (\forall integer k1 k2 ;
@ 0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
@ for permutation:
@ loop_invariant Permut{Pre,Here}(t,0,t.length-1);
@*/
for (i=0; i<t.length-1; i++) {
// look for minimum value among t[i..n-1]
mv = t[i]; mi = i;
/*@ loop_invariant i < j && i <= mi < t.length;
@ for sorted:
@ loop_invariant mv == t[mi] &&
@ (\forall integer k; i <= k < j ==> t[k] >= mv);
@ for permutation:
@ loop_invariant Permut{Pre,Here}(t,0,t.length-1);
@*/
for (j=i+1; j < t.length; j++) {
if (t[j] < mv) {
mi = j ; mv = t[j];
}
}
swap(t,i,mi);
}
}
}
|
