3

I am trying to prove, that my algorithm for finding second largest value in array works as it should. This is my code:

function FindMax2 (V : Vector) return Integer is
    Max : Natural := 0;
    SecondMax : Natural := 0;
begin
    for I in V'Range loop

        pragma Assert
            (Max >= 0 and
            SecondMax >= 0 and
            V(I) > 0);

        if V(I) > Max then
            SecondMax := Max;
            Max := V(I);
        elsif V(I) /= Max and V(I) > SecondMax then
            SecondMax := V(I);
        end if;

        pragma Loop_Invariant
                    (Max > SecondMax and
                    V(I) > 0 and
                    (for all J in V'First .. I => V(J) <= Max));
    end loop;
    return SecondMax;
end FindMax2;

and this are my pre- and postconditions:

package Max2 with SPARK_Mode is

    type Vector is array (Integer range <>) of Positive;

    function FindMax2 (V : Vector) return Integer
    with
        Pre => V'First < Integer'Last and V'Length > 0,
        Post => FindMax2'Result >= 0 and
        (FindMax2'Result = 0 or (for some I in V'Range => FindMax2'Result = V(I))) and
        (if FindMax2'Result /= 0 then (for some I in V'Range => V(I) > FindMax2'Result)) and
        (if FindMax2'Result = 0 then (for all I in V'Range => (for all J in V'Range => V(I) = V(J)))
        else
            (for all I in V'Range => (if V(I) > FindMax2'Result then (for all J in V'Range => V(J) <= V(I)))));
end Max2;

I'm stuck now on this message from GNATprove:

max2.ads:8:17: medium: postcondition might fail (e.g. when FindMax2'Result = 1 and V = (others => 1) and V'First = 0 and V'Last = 0)

If I am not mistaken it is reffering to the first condition about the result being greater or equal to 0, then why does it put 1 as a counter-example? Is there any way I can prove this?

pucikplay
  • 101
  • 4
  • It appears to be complaining about the assertion "V (I) > 0". It is possible that your Vector parameter is uninitialized and therefore might have a value less than 1 in one or more elements. Try adding a clause to your precondition indicating "for all I in V'Range => V(I) >= 1". – Jim Rogers Apr 22 '21 at 02:00
  • What should Findmax2 return when V'Length = 1? – Jeffrey R. Carter Apr 22 '21 at 08:00
  • It should return 0, as well as in the situation when all elements are equal. – pucikplay Apr 22 '21 at 11:33

2 Answers2

4

I managed to solve my problem. I was wrong about the error message, gnatprove was reffering to the whole post condition statement. If someone is interested in the solution, Iadded a few conditions in the loop invariant

pragma Loop_Invariant
            (Max > SecondMax and
            V(I) > 0 and
            (for all J in V'First .. I => V(J) <= Max) and

            (Max = 0 or (for some J in V'First .. I => Max = V(J))) and
            (SecondMax = 0 or (for some J in V'First .. I => SecondMax = V(J))) and

            (if SecondMax = 0 then (for all J in V'First .. I => (for all K in V'First .. I => V(J) = V(K)))
            else (for all J in V'First .. I => (if V(J) > SecondMax then (for all K in V'First .. I => V(K) <= V(J))))));
pucikplay
  • 101
  • 4
  • This this a really nice result. Thanks for sharing! Note that you can improve readability by factoring out the key predicates. I've added a refactored version of your answer in a [separate answer](https://stackoverflow.com/a/67218635/10975520). – DeeDee Apr 24 '21 at 08:54
1

Note that the actual answer was provided by the OP self here. Credits should go there. This is just an addition to my comment on that nice result.

max2.ads

package Max2 with SPARK_Mode is

   type Vector is array (Integer range <>) of Positive;


   function All_Same (V : Vector) return Boolean is
     (for all I in V'Range => (for all J in V'Range => V(I) = V(J)))
     with Ghost;

   function Elem_Of (V : Vector; X : Integer) return Boolean is
      (for some I in V'Range => V (I) = X)
       with Ghost; 

   function Is_Largest (V : Vector; X : Integer) return Boolean is
     (Elem_Of (V, X) and (for all I in V'Range => V (I) <= X))
       with Ghost;

   function Is_Second_Largest (V : Vector; X : Integer) return Boolean is
     (Elem_Of (V, X) and not Is_Largest (V, X) and
          (for all I in V'Range => V(I) <= X or else Is_Largest (V, V (I))))
       with Ghost;

   pragma Annotate (GNATprove, Inline_For_Proof, All_Same);
   pragma Annotate (GNATprove, Inline_For_Proof, Elem_Of);
   pragma Annotate (GNATprove, Inline_For_Proof, Is_Largest);
   pragma Annotate (GNATprove, Inline_For_Proof, Is_Second_Largest);


   procedure FindMax2 (V : Vector; Found : out Boolean; Value : out Natural)
     with Post => (if Found then Is_Second_Largest (V, Value) else All_Same (V));

end Max2;

max2.adb

package body Max2 with SPARK_Mode is
   
   --------------
   -- FindMax2 --
   --------------
   
   procedure FindMax2 
     (V     : in     Vector;
      Found :    out Boolean; 
      Value :    out Natural) 
   is
      L1 : Natural := 0;
      L2 : Natural := 0;
   begin      
      
      if V'Length > 1 then      
         for I in V'Range loop

            if L1 < V(I) then
               L2 := L1;
               L1 := V(I);
            elsif L2 < V(I) and V(I) < L1 then
               L2 := V(I);
            end if;

            pragma Loop_Invariant
              (L2 < L1);
           
            pragma Loop_Invariant
              (L1 = 0 or Elem_Of (V (V'First .. I), L1));
            pragma Loop_Invariant
              (L2 = 0 or Elem_Of (V (V'First .. I), L2));
            
            pragma Loop_Invariant
              (Is_Largest (V (V'First .. I), L1));
                    
            pragma Loop_Invariant
              (if L2 = 0 
               then All_Same (V (V'First .. I))
               else Is_Second_Largest (V (V'First .. I), L2));
         
         end loop;
      end if;
      
      Found := (L2 > 0);
      Value := L2;
      
   end FindMax2;

end Max2;
DeeDee
  • 5,654
  • 7
  • 14