Skip to content

Multi Sets #3698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lks9 wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Multi Sets #3698

lks9 wants to merge 4 commits into from

Conversation

@lks9
Copy link
Contributor

@lks9 lks9 commented Dec 11, 2025

Intended Change

This adds multisets in KeY, to show permutation properties. This complements the existing formalizations using seqPerm and bsum.

  • Adds (\mset int k; low <= k <= high; t) extended JML quantifier
  • Adds msetRange{int k;}(low, high, t) to JavaDL and other constructors such as msetSingle, msetSum
  • Adds rules for multisets

Plan

There were some fixes needed to actually prove permutation properties of quicksort or similar.

  • Solve the issue with applyEq or hideAuxiliaryEq. Three instantiations of hideAuxiliaryEq were needed, Quicksort_sort.zproof.zip
  • Check that the fix in EqualityConstraint.java, function normalize() does not break anything
  • Make the quicksort example work for the full specification, not just the permutation property
  • Add Quicksort example as test case
  • Resolve merge conflicts
  • Document the changes

Type of pull request

  • New feature (non-breaking change which adds functionality)
  • There are changes to the (Java) code
  • There are changes to the taclet rule base

Additional information

Quicksort could not be shown without the changes to EqualityConstraint.java. As far as I understand it, the isRigid() guard prevents normalization and is therefore a completeness bug in the current version of KeY. Credits go to @unp1. Apparently, in an old KeY 1.x version, the isRigid() guard was needed for soundness as it would prevent normalization with constrained program variables.

The basic idea of the MSet rules is as follows:

  1. If a single array element is updated, we should decompose the msetRange into a msetSum of the msetSingle with the updated element and msetRange for the remaining part without the update.
  2. msetSum is converted into a normal form using associativity and commutativity.
  3. The points above convert an equation over two msets A = B into A_decomposed = B. To bring B in the same form (although there are no updates), msetRange is also decomposed on side B an equation using the rule mset_extract_triggered and friends.

Alternatively to the decomposition approach, we could also back-convert the normal form of msetSums (e.g. A_decomposed) into a big msetRange. However, we have not implemented this.

The contributions within this pull request are licensed under GPLv2 (only) for inclusion in KeY.

@lks9 lks9 changed the title Multi set Multi Sets Dec 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lks9 @silviazoraqi