wip report #2

report.tex

@@ -168,9 +168,7 @@ Aside the \mintinline{dafny}{array<int>} type declaration, no other condition is
 needed to constrain the input parameter \texttt{a} as a sorting algorithm should
 sort any list. Therefore, the method precondition is
 
-\begin{center}
 \mintinline{dafny}{requires true}
-\end{center}
 
 which can just be omitted.
 
@@ -210,9 +208,83 @@ method SelectionSort(a: array<int>)
 \end{minted}
 
 \subsection{Outer loop variant and invariant}
-{\color{red}TBD}
+
+As mentioned already, the outer \textbf{while} loop in selection sort strongly
+relates with the incremental selection of minimum values from the non-processed
+part of the list (i.e. for indices in $[s,|a|)$) and them being moved to the
+beginning of the list in the correct order. Indeed, the outer loop maintains two
+main properties:
+
+\begin{itemize}
+\item The processed elements (i.e. indices $[0, s)$) are sorted, as the elements
+    in them are the minimum, the second-minimum, the third-minimum and so on in
+    this order;
+\item As all the processed elements have been selected as minimums, all of them
+    are by definition greater than or equal than the non-processed elements.
+    Even if this property seems trivial, it is quite important to ensure we
+    can simply ``append'' elements to the processed portion as they will for
+    sure be greater than all the values in indices $[0, s)$.
+\end{itemize}
+
+We can formalize these two facts respectively with two Dafny loop invariants on
+the outer while loop:
+
+\begin{minted}{dafny}
+invariant s >= 1 ==> sorted(a[0..s]) // saying one item is sorted makes little sense
+invariant forall i,j: int :: 0 <= i < s <= j < a.Length ==> a[i] <= a[j]
+\end{minted}
+
+Since this loop has an index $s$ iterating over the values in $[0,|a| - 1]$
+(note that we condiser the value of $s$ after loop termination as well) in
+steps of one the corresponding loop invariant and variant on the index are quite
+straightforward\footnote{We specify loop variants as well for completeness'
+sake, even if Dafny is able to infer them in these circumnstances.}. Indeed,
+they are respectively:
+
+\begin{minted}{dafny}
+invariant s <= a.Length - 1
+decreases a.Length - s
+\end{minted}
+
+Finally, since the only mutation performed on the list is the \textbf{swap}
+operation at line 22 of the code, and a swap operation does not create or
+destroy values (either it swaps the position of two values or it swaps the same
+position with itself -- i.e. doing nothing), the order-indifferent equality
+predicate can be simply added to this loop as an invariant
+
+\begin{minted}{dafny}
+invariant sameElements(a[..], old(a[..]))
+\end{minted}
+
+However trivial of a fact as it is, Dafny requires it as an invariant to
+complete the proof of correctness, and therefore we need to be a little redundant.
 
 \subsection{Inner loop variant and invariant}
+
+The inner loop implements the \textit{arg min} expression used in the assignment
+at line 6 of the pseudocode. From this fact we can easily say this loop does not
+mutate $a$ in any array and therefore the order-indifferent equality predicate
+holds:
+
+\begin{minted}{dafny}
+invariant sameElements(a[..], old(a[..]))
+\end{minted}
+
+Then, we can define the invariant for the index $i$, which iterates
+over the values in $[s + 1, |a|]$ in single increasing steps. We also know that
+the loop condition is based on the upper bound of this interfal, so we can
+define the loop variant as well:
+
+\begin{minted}{dafny}
+invariant s + 1 <= i <= a.Length
+decreases a.Length - i
+\end{minted}
+
+The only assignments to variable \textit{min} are at line 11 and line 17 of the
+pseudocode, where \textit{min} is initialized to $s$ and \textit{min} is
+assigned the value of $i$ respectively.
+
+
 {\color{red}TBD}