diff --git a/report.pdf b/report.pdf index e585de9..eda8b1b 100644 Binary files a/report.pdf and b/report.pdf differ diff --git a/report.tex b/report.tex index 4fa08b1..47b9c60 100644 --- a/report.tex +++ b/report.tex @@ -168,9 +168,7 @@ Aside the \mintinline{dafny}{array} type declaration, no other condition is needed to constrain the input parameter \texttt{a} as a sorting algorithm should sort any list. Therefore, the method precondition is -\begin{center} \mintinline{dafny}{requires true} -\end{center} which can just be omitted. @@ -210,9 +208,83 @@ method SelectionSort(a: array) \end{minted} \subsection{Outer loop variant and invariant} -{\color{red}TBD} + +As mentioned already, the outer \textbf{while} loop in selection sort strongly +relates with the incremental selection of minimum values from the non-processed +part of the list (i.e. for indices in $[s,|a|)$) and them being moved to the +beginning of the list in the correct order. Indeed, the outer loop maintains two +main properties: + +\begin{itemize} +\item The processed elements (i.e. indices $[0, s)$) are sorted, as the elements + in them are the minimum, the second-minimum, the third-minimum and so on in + this order; +\item As all the processed elements have been selected as minimums, all of them + are by definition greater than or equal than the non-processed elements. + Even if this property seems trivial, it is quite important to ensure we + can simply ``append'' elements to the processed portion as they will for + sure be greater than all the values in indices $[0, s)$. +\end{itemize} + +We can formalize these two facts respectively with two Dafny loop invariants on +the outer while loop: + +\begin{minted}{dafny} +invariant s >= 1 ==> sorted(a[0..s]) // saying one item is sorted makes little sense +invariant forall i,j: int :: 0 <= i < s <= j < a.Length ==> a[i] <= a[j] +\end{minted} + +Since this loop has an index $s$ iterating over the values in $[0,|a| - 1]$ +(note that we condiser the value of $s$ after loop termination as well) in +steps of one the corresponding loop invariant and variant on the index are quite +straightforward\footnote{We specify loop variants as well for completeness' +sake, even if Dafny is able to infer them in these circumnstances.}. Indeed, +they are respectively: + +\begin{minted}{dafny} +invariant s <= a.Length - 1 +decreases a.Length - s +\end{minted} + +Finally, since the only mutation performed on the list is the \textbf{swap} +operation at line 22 of the code, and a swap operation does not create or +destroy values (either it swaps the position of two values or it swaps the same +position with itself -- i.e. doing nothing), the order-indifferent equality +predicate can be simply added to this loop as an invariant + +\begin{minted}{dafny} +invariant sameElements(a[..], old(a[..])) +\end{minted} + +However trivial of a fact as it is, Dafny requires it as an invariant to +complete the proof of correctness, and therefore we need to be a little redundant. \subsection{Inner loop variant and invariant} + +The inner loop implements the \textit{arg min} expression used in the assignment +at line 6 of the pseudocode. From this fact we can easily say this loop does not +mutate $a$ in any array and therefore the order-indifferent equality predicate +holds: + +\begin{minted}{dafny} +invariant sameElements(a[..], old(a[..])) +\end{minted} + +Then, we can define the invariant for the index $i$, which iterates +over the values in $[s + 1, |a|]$ in single increasing steps. We also know that +the loop condition is based on the upper bound of this interfal, so we can +define the loop variant as well: + +\begin{minted}{dafny} +invariant s + 1 <= i <= a.Length +decreases a.Length - i +\end{minted} + +The only assignments to variable \textit{min} are at line 11 and line 17 of the +pseudocode, where \textit{min} is initialized to $s$ and \textit{min} is +assigned the value of $i$ respectively. + + {\color{red}TBD}