2

Hi Relatively new to Dafny and have defined methods set2Seq and seq2Set for conversion between sets and seqs. But can only find how to write a function fseq2Set from sets to sequences. I can not find how to define fseq2Set. As Lemmas can not reference methods this makes proving the identity beyond me. Any help much appreciated?

Code:

function method fseq2Set(se: seq<int>) :set<int>
    { set x:int | x in se :: x }
method seq2Set(se: seq<int>) returns (s:set<int>) 
    { s := set x:int | x in se :: x; }
method  set2Seq(s: set<int>)  returns (se:seq<int>)
  requires s != {}
  ensures s == fseq2Set(se)
  decreases |s|
{
    var y :| y in s;
    var tmp ;
    if (s=={y}) {tmp := [];} else {tmp := set2Seq(s-{y});}
    se := [y] + tmp;
    assert (s-{y}) + {y} == fseq2Set([y] + tmp);
}  
/* below fails */
function fset2Seq(s:set<int>):seq<int> 
decreases s { var y :| y in s ; [y] + fset2Seq(s-{y})    }
lemma cycle(s:set<int>) ensures forall s:set<int> ::  fseq2Set(fset2Seq(s)) == s {   }
david streader
  • 589
  • 2
  • 7

1 Answers1

1

Ok, there is kind of a lot going on here. First of all, I'm not sure if you intended to do anything with the methods seq2Set and set2Seq, but they don't seem to be relevant to your failure, so I'm just going to ignore them and focus on the functions.

Speaking of functions, Danfy reports an error on your definition of fset2Seq, because s might be empty. In that case, we should return the empty sequence, so I adjusted your definition to:

function fset2Seq(s:set<int>):seq<int> 
  decreases s
{
  if s == {} then []
  else 
    var y := Pick(s);
    [y] + fset2Seq(s - {y})
}

function Pick(s: set<int>): int
  requires s != {}
{
  var x :| x in s; x
}

which fixes that error. Notice that I also wrapped the let-such-that operator :| in a function called Pick. This is essential, but hard to explain. Just trust me for now.

Now on to the lemma. Your lemma is stated a bit weirdly, because it takes a parameter s, but then the ensures clause doesn't mention s. (Instead it mentions a completely different variable, also called s, that is bound by the forall quantifier!) So I adjusted it to get rid of the quantifier, as follows:

lemma cycle(s:set<int>)
  ensures fseq2Set(fset2Seq(s)) == s

Next, I follow My Favorite Heuristicâ„¢ in program verification, which is that the structure of the proof follows the structure of the program. In this case, the "program" in question is fseq2Set(fset2Seq(s)). Starting from our input s, it first gets processed recursively by fset2Seq and then through the set comprehension in fseq2Set. So, I expect a proof by induction on s that follows the structure of fset2Seq. That structure is to branch on whether s is empty, so let's do that in the lemma too:

lemma cycle(s:set<int>)
  ensures fseq2Set(fset2Seq(s)) == s
{
  if s == {} {
  } else {
  }
...

Dafny reports an error on the else branch but not on the if branch. In other words, Dafny has proved the base case, but it needs help with the inductive case. The next thing that fset2Seq(s) does is call Pick(s). Let's do that too.

lemma cycle(s:set<int>)
  ensures fseq2Set(fset2Seq(s)) == s
{
  if s == {} {
  } else {
    var y := Pick(s);
...

Now we know from its definition that fset2Seq(s) is going to return [y] + fset2Seq(s - {y}), so we can copy-paste our ensures clause and manually substitute this expression.

lemma cycle(s:set<int>)
  ensures fseq2Set(fset2Seq(s)) == s
{
  if s == {} {
  } else {
    var y := Pick(s);
    assert fseq2Set([y] + fset2Seq(s - {y})) == s;
...

Dafny reports an error on this assertion, which is not surprising, since it's just a lightly edited version of the ensures clause we're trying to prove. But importantly, Dafny no longer reports an error on the ensures clause itself. In other words, if we can prove this assertion, we are done.

Looking at this assert, we can see that fseq2Set is applied to two lists appended together. And we would expect that to be equivalent to separately converting the two lists to sets, and then taking their union. We could prove a lemma to that effect, or we could just ask Dafny if it already knows this fact, like this:

lemma cycle(s:set<int>)
  ensures fseq2Set(fset2Seq(s)) == s
{
  if s == {} {
  } else {
    var y := Pick(s);
    assert fseq2Set([y] + fset2Seq(s - {y})) == fseq2Set([y]) + fseq2Set(fset2Seq(s - {y}));
    assert fseq2Set([y] + fset2Seq(s - {y})) == s;
...

(Note that the newly added assertion is before the last one.)

Dafny now accepts our lemma. We can clean up a little by deleting the the base case and the final assertion that was just a copy-pasted version of our ensures clause. Here is the polished proof.

lemma cycle(s:set<int>)
  ensures fseq2Set(fset2Seq(s)) == s
{
  if s != {} {
    var y := Pick(s);
    assert fseq2Set([y] + fset2Seq(s - {y})) == fseq2Set([y]) + fseq2Set(fset2Seq(s - {y}));
  }
}

I hope this explains how to prove the lemma and also gives you a little bit of an idea about how to make progress when you are stuck.

I did not explain Pick. Basically, as a rule of thumb, you should just always wrap :| in a function whenever you use it. To understand why, see the Dafny power user posts on iterating over collecion and functions over set elements. Also, see Rustan's paper Compiling Hilbert's epsilon operator.

James Wilcox
  • 5,307
  • 16
  • 25