1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
|
(* *********************************************************************)
(* *)
(* The Compcert verified compiler *)
(* *)
(* Xavier Leroy, INRIA Paris-Rocquencourt *)
(* *)
(* Copyright Institut National de Recherche en Informatique et en *)
(* Automatique. All rights reserved. This file is distributed *)
(* under the terms of the GNU Lesser General Public License as *)
(* published by the Free Software Foundation, either version 2.1 of *)
(* the License, or (at your option) any later version. *)
(* This file is also distributed under the terms of the *)
(* INRIA Non-Commercial License Agreement. *)
(* *)
(* *********************************************************************)
(** Finite sets of integer intervals *)
Require Import Coqlib.
Module ISet.
(** "Raw", non-dependent implementation. A set of intervals is a
list of nonempty semi-open intervals [(lo, hi)],
sorted in increasing order of the low bound,
and with no overlap nor adjacency between elements.
In particular, if the list contains [(lo1, hi1)] followed by [(lo2, hi2)],
we have [lo1 < hi1 < lo2 < hi2]. *)
Module R.
Inductive t : Type := Nil | Cons (lo hi: Z) (tl: t).
Fixpoint In (x: Z) (s: t) :=
match s with
| Nil => False
| Cons l h s' => l <= x < h \/ In x s'
end.
Inductive ok: t -> Prop :=
| ok_nil: ok Nil
| ok_cons: forall l h s
(BOUNDS: l < h)
(BELOW: forall x, In x s -> h < x)
(OK: ok s),
ok (Cons l h s).
Fixpoint mem (x: Z) (s: t) : bool :=
match s with
| Nil => false
| Cons l h s' => if zlt x h then zle l x else mem x s'
end.
Lemma mem_In:
forall x s, ok s -> (mem x s = true <-> In x s).
Proof.
induction 1; simpl.
- intuition congruence.
- destruct (zlt x h).
+ destruct (zle l x); simpl.
* tauto.
* split; intros. congruence.
exfalso. destruct H0. lia. exploit BELOW; eauto. lia.
+ rewrite IHok. intuition.
Qed.
Fixpoint contains (L H: Z) (s: t) : bool :=
match s with
| Nil => false
| Cons l h s' => (zle H h && zle l L) || contains L H s'
end.
Lemma contains_In:
forall l0 h0, l0 < h0 -> forall s, ok s ->
(contains l0 h0 s = true <-> (forall x, l0 <= x < h0 -> In x s)).
Proof.
induction 2; simpl.
- intuition. elim (H0 l0); lia.
- destruct (zle h0 h); simpl.
destruct (zle l l0); simpl.
intuition.
rewrite IHok. intuition. destruct (H3 x); auto. exfalso.
destruct (H3 l0). lia. lia. exploit BELOW; eauto. lia.
rewrite IHok. intuition. destruct (H3 x); auto. exfalso.
destruct (H3 h). lia. lia. exploit BELOW; eauto. lia.
Qed.
Fixpoint add (L H: Z) (s: t) {struct s} : t :=
match s with
| Nil => Cons L H Nil
| Cons l h s' =>
if zlt h L then Cons l h (add L H s')
else if zlt H l then Cons L H s
else add (Z.min l L) (Z.max h H) s'
end.
Lemma In_add:
forall x s, ok s -> forall l0 h0, (In x (add l0 h0 s) <-> l0 <= x < h0 \/ In x s).
Proof.
induction 1; simpl; intros.
tauto.
destruct (zlt h l0).
simpl. rewrite IHok. tauto.
destruct (zlt h0 l).
simpl. tauto.
rewrite IHok. intuition idtac.
assert (l0 <= x < h0 \/ l <= x < h) by extlia. tauto.
left; extlia.
left; extlia.
Qed.
Lemma add_ok:
forall s, ok s -> forall l0 h0, l0 < h0 -> ok (add l0 h0 s).
Proof.
induction 1; simpl; intros.
constructor. auto. intros. inv H0. constructor.
destruct (zlt h l0).
constructor; auto. intros. rewrite In_add in H1; auto.
destruct H1. lia. auto.
destruct (zlt h0 l).
constructor. auto. simpl; intros. destruct H1. lia. exploit BELOW; eauto. lia.
constructor. lia. auto. auto.
apply IHok. extlia.
Qed.
Fixpoint remove (L H: Z) (s: t) {struct s} : t :=
match s with
| Nil => Nil
| Cons l h s' =>
if zlt h L then Cons l h (remove L H s')
else if zlt H l then s
else if zlt l L then
if zlt H h then Cons l L (Cons H h s') else Cons l L (remove L H s')
else
if zlt H h then Cons H h s' else remove L H s'
end.
Lemma In_remove:
forall x l0 h0 s, ok s ->
(In x (remove l0 h0 s) <-> ~(l0 <= x < h0) /\ In x s).
Proof.
induction 1; simpl.
tauto.
destruct (zlt h l0).
simpl. rewrite IHok. intuition lia.
destruct (zlt h0 l).
simpl. intuition. exploit BELOW; eauto. lia.
destruct (zlt l l0).
destruct (zlt h0 h); simpl. clear IHok. split.
intros [A | [A | A]].
split. lia. left; lia.
split. lia. left; lia.
split. exploit BELOW; eauto. lia. auto.
intros [A [B | B]].
destruct (zlt x l0). left; lia. right; left; lia.
auto.
intuition lia.
destruct (zlt h0 h); simpl.
intuition. exploit BELOW; eauto. lia.
rewrite IHok. intuition. extlia.
Qed.
Lemma remove_ok:
forall l0 h0, l0 < h0 -> forall s, ok s -> ok (remove l0 h0 s).
Proof.
induction 2; simpl.
constructor.
destruct (zlt h l0).
constructor; auto. intros; apply BELOW. rewrite In_remove in H1; tauto.
destruct (zlt h0 l).
constructor; auto.
destruct (zlt l l0).
destruct (zlt h0 h).
constructor. lia. intros. inv H1. lia. exploit BELOW; eauto. lia.
constructor. lia. auto. auto.
constructor; auto. intros. rewrite In_remove in H1 by auto. destruct H1. exploit BELOW; eauto. lia.
destruct (zlt h0 h).
constructor; auto.
auto.
Qed.
Fixpoint inter (s1 s2: t) {struct s1} : t :=
let fix intr (s2: t) : t :=
match s1, s2 with
| Nil, _ => Nil
| _, Nil => Nil
| Cons l1 h1 s1', Cons l2 h2 s2' =>
if zle h1 l2 then inter s1' s2
else if zle h2 l1 then intr s2'
else if zle l1 l2 then
if zle h2 h1 then Cons l2 h2 (intr s2') else Cons l2 h1 (inter s1' s2)
else
if zle h1 h2 then Cons l1 h1 (inter s1' s2) else Cons l1 h2 (intr s2')
end
in intr s2.
Lemma In_inter:
forall x s1, ok s1 -> forall s2, ok s2 ->
(In x (inter s1 s2) <-> In x s1 /\ In x s2).
Proof.
induction 1.
simpl. induction 1; simpl. tauto. tauto.
assert (ok (Cons l h s)) by (constructor; auto).
induction 1; simpl.
tauto.
assert (ok (Cons l0 h0 s0)) by (constructor; auto).
destruct (zle h l0).
rewrite IHok; auto. simpl. intuition. extlia.
exploit BELOW0; eauto. intros. extlia.
destruct (zle h0 l).
simpl in IHok0; rewrite IHok0. intuition. extlia.
exploit BELOW; eauto. intros; extlia.
destruct (zle l l0).
destruct (zle h0 h).
simpl. simpl in IHok0; rewrite IHok0. intuition.
simpl. rewrite IHok; auto. simpl. intuition. exploit BELOW0; eauto. intros; extlia.
destruct (zle h h0).
simpl. rewrite IHok; auto. simpl. intuition.
simpl. simpl in IHok0; rewrite IHok0. intuition.
exploit BELOW; eauto. intros; extlia.
Qed.
Lemma inter_ok:
forall s1, ok s1 -> forall s2, ok s2 -> ok (inter s1 s2).
Proof.
induction 1.
intros; simpl. destruct s2; constructor.
assert (ok (Cons l h s)). constructor; auto.
induction 1; simpl.
constructor.
assert (ok (Cons l0 h0 s0)). constructor; auto.
destruct (zle h l0).
auto.
destruct (zle h0 l).
auto.
destruct (zle l l0).
destruct (zle h0 h).
constructor; auto. intros.
assert (In x (inter (Cons l h s) s0)) by exact H3.
rewrite In_inter in H4; auto. apply BELOW0. tauto.
constructor. lia. intros. rewrite In_inter in H3; auto. apply BELOW. tauto.
auto.
destruct (zle h h0).
constructor. lia. intros. rewrite In_inter in H3; auto. apply BELOW. tauto.
auto.
constructor. lia. intros.
assert (In x (inter (Cons l h s) s0)) by exact H3.
rewrite In_inter in H4; auto. apply BELOW0. tauto.
auto.
Qed.
Fixpoint union (s1 s2: t) : t :=
match s1, s2 with
| Nil, _ => s2
| _, Nil => s1
| Cons l1 h1 s1', Cons l2 h2 s2' => add l1 h1 (add l2 h2 (union s1' s2'))
end.
Lemma In_ok_union:
forall s1, ok s1 -> forall s2, ok s2 ->
ok (union s1 s2) /\ (forall x, In x s1 \/ In x s2 <-> In x (union s1 s2)).
Proof.
induction 1; destruct 1; simpl.
split. constructor. tauto.
split. constructor; auto. tauto.
split. constructor; auto. tauto.
destruct (IHok s0) as [A B]; auto.
split. apply add_ok; auto. apply add_ok; auto.
intros. rewrite In_add. rewrite In_add. rewrite <- B. tauto. auto. apply add_ok; auto.
Qed.
Fixpoint beq (s1 s2: t) : bool :=
match s1, s2 with
| Nil, Nil => true
| Cons l1 h1 t1, Cons l2 h2 t2 => zeq l1 l2 && zeq h1 h2 && beq t1 t2
| _, _ => false
end.
Lemma beq_spec:
forall s1, ok s1 -> forall s2, ok s2 ->
(beq s1 s2 = true <-> (forall x, In x s1 <-> In x s2)).
Proof.
induction 1; destruct 1; simpl.
- tauto.
- split; intros. discriminate. exfalso. apply (H0 l). left; lia.
- split; intros. discriminate. exfalso. apply (H0 l). left; lia.
- split; intros.
+ InvBooleans. subst. rewrite IHok in H3 by auto. rewrite H3. tauto.
+ destruct (zeq l l0). destruct (zeq h h0). simpl. subst.
apply IHok. auto. intros; split; intros.
destruct (proj1 (H1 x)); auto. exfalso. exploit BELOW; eauto. lia.
destruct (proj2 (H1 x)); auto. exfalso. exploit BELOW0; eauto. lia.
exfalso. subst l0. destruct (zlt h h0).
destruct (proj2 (H1 h)). left; lia. lia. exploit BELOW; eauto. lia.
destruct (proj1 (H1 h0)). left; lia. lia. exploit BELOW0; eauto. lia.
exfalso. destruct (zlt l l0).
destruct (proj1 (H1 l)). left; lia. lia. exploit BELOW0; eauto. lia.
destruct (proj2 (H1 l0)). left; lia. lia. exploit BELOW; eauto. lia.
Qed.
End R.
(** Exported interface, wrapping the [ok] invariant in a dependent type. *)
Definition t := { r: R.t | R.ok r }.
Program Definition In (x: Z) (s: t) := R.In x s.
Program Definition empty : t := R.Nil.
Next Obligation. constructor. Qed.
Theorem In_empty: forall x, ~(In x empty).
Proof.
unfold In; intros; simpl. tauto.
Qed.
Program Definition interval (l h: Z) : t :=
if zlt l h then R.Cons l h R.Nil else R.Nil.
Next Obligation.
constructor; auto. simpl; tauto. constructor.
Qed.
Next Obligation.
constructor.
Qed.
Theorem In_interval: forall x l h, In x (interval l h) <-> l <= x < h.
Proof.
intros. unfold In, interval; destruct (zlt l h); simpl.
intuition.
intuition.
Qed.
Program Definition add (l h: Z) (s: t) : t :=
if zlt l h then R.add l h s else s.
Next Obligation.
apply R.add_ok. apply proj2_sig. auto.
Qed.
Theorem In_add: forall x l h s, In x (add l h s) <-> l <= x < h \/ In x s.
Proof.
unfold add, In; intros.
destruct (zlt l h).
simpl. apply R.In_add. apply proj2_sig.
intuition. extlia.
Qed.
Program Definition remove (l h: Z) (s: t) : t :=
if zlt l h then R.remove l h s else s.
Next Obligation.
apply R.remove_ok. auto. apply proj2_sig.
Qed.
Theorem In_remove: forall x l h s, In x (remove l h s) <-> ~(l <= x < h) /\ In x s.
Proof.
unfold remove, In; intros.
destruct (zlt l h).
simpl. apply R.In_remove. apply proj2_sig.
intuition.
Qed.
Program Definition inter (s1 s2: t) : t := R.inter s1 s2.
Next Obligation. apply R.inter_ok; apply proj2_sig. Qed.
Theorem In_inter: forall x s1 s2, In x (inter s1 s2) <-> In x s1 /\ In x s2.
Proof.
unfold inter, In; intros; simpl. apply R.In_inter; apply proj2_sig.
Qed.
Program Definition union (s1 s2: t) : t := R.union s1 s2.
Next Obligation.
destruct (R.In_ok_union _ (proj2_sig s1) _ (proj2_sig s2)). auto.
Qed.
Theorem In_union: forall x s1 s2, In x (union s1 s2) <-> In x s1 \/ In x s2.
Proof.
unfold union, In; intros; simpl.
destruct (R.In_ok_union _ (proj2_sig s1) _ (proj2_sig s2)).
generalize (H0 x); tauto.
Qed.
Program Definition mem (x: Z) (s: t) := R.mem x s.
Theorem mem_spec: forall x s, mem x s = true <-> In x s.
Proof.
unfold mem, In; intros. apply R.mem_In. apply proj2_sig.
Qed.
Program Definition contains (l h: Z) (s: t) :=
if zlt l h then R.contains l h s else true.
Theorem contains_spec:
forall l h s, contains l h s = true <-> (forall x, l <= x < h -> In x s).
Proof.
unfold contains, In; intros. destruct (zlt l h).
apply R.contains_In. auto. apply proj2_sig.
split; intros. extlia. auto.
Qed.
Program Definition beq (s1 s2: t) : bool := R.beq s1 s2.
Theorem beq_spec:
forall s1 s2, beq s1 s2 = true <-> (forall x, In x s1 <-> In x s2).
Proof.
unfold mem, In; intros. apply R.beq_spec; apply proj2_sig.
Qed.
End ISet.
|
