Hoare triple specifications for select functions

This module contains Hoare triple specifications for some functions in Core.

@[reducible, inline]

abbrev Std.Range.toList (r : Range) : List Nat

Converts a range to the list of all numbers in the range.

Equations

• r.toList = List.range' r.start ((r.stop - r.start + r.step - 1) / r.step) r.step

structure List.Cursor {α : Type u} (l : List α) : Type u

A pointer at a specific location in a list. List cursors are used in loop invariants for the mvcgen tactic.

Moving the cursor to the left or right takes time linear in the current position of the cursor, so this data structure is not appropriate for run-time code.

• prefix : List α

  The elements before to the current position in the list.

• suffix : List α

  The elements starting at the current position. If the position is after the last element of the list, then the suffix is empty; otherwise, the first element of the suffix is the current element that the cursor points to.

• property : self.prefix ++ self.suffix = l

  Appending the prefix to the suffix yields the original list.

theorem List.Cursor.ext_iff {α : Type u} {l : List α} {x y : l.Cursor} : x = y ↔ x.prefix = y.prefix ∧ x.suffix = y.suffix

theorem List.Cursor.ext {α : Type u} {l : List α} {x y : l.Cursor} («prefix» : x.prefix = y.prefix) (suffix : x.suffix = y.suffix) : x = y

def List.Cursor.at {α : Type u_1} (l : List α) (n : Nat) : l.Cursor

Creates a cursor at position n in the list l. The prefix contains the first n elements, and the suffix contains the remaining elements. If n is larger than the length of the list, the cursor is positioned at the end of the list.

Equations

• List.Cursor.at l n = { «prefix» := List.take n l, suffix := List.drop n l, property := ⋯ }

@[reducible, inline]

abbrev List.Cursor.begin {α : Type u_1} (l : List α) : l.Cursor

Creates a cursor at the beginning of the list (position 0). The prefix is empty and the suffix is the entire list.

Equations

• List.Cursor.begin l = List.Cursor.at l 0

@[reducible, inline]

abbrev List.Cursor.end {α : Type u_1} (l : List α) : l.Cursor

Creates a cursor at the end of the list. The prefix is the entire list and the suffix is empty.

Equations

• List.Cursor.end l = List.Cursor.at l l.length

def List.Cursor.current {α : Type u_1} {l : List α} (c : l.Cursor) (h : 0 < c.suffix.length := by get_elem_tactic) : α

Returns the element at the current cursor position.

Requires that is a current element: the suffix must be non-empty, so the cursor is not at the end of the list.

Equations

• c.current h = c.suffix[0]

def List.Cursor.tail {α✝ : Type u_1} {l : List α✝} (s : l.Cursor) (h : 0 < s.suffix.length := by get_elem_tactic) : l.Cursor

Advances the cursor by one position, moving the current element from the suffix to the prefix.

Requires that the cursor is not already at the end of the list.

Equations

• s.tail h = { «prefix» := s.prefix ++ [s.current h], suffix := s.suffix.tail, property := ⋯ }

@[simp]

theorem List.Cursor.prefix_at {α : Type u_1} {n : Nat} (l : List α) : («at» l n).prefix = take n l

@[simp]

theorem List.Cursor.suffix_at {α : Type u_1} {n : Nat} (l : List α) : («at» l n).suffix = drop n l

@[simp]

theorem List.Cursor.current_at {α : Type u_1} {n : Nat} (l : List α) (h : n < l.length) : («at» l n).current ⋯ = l[n]

@[simp]

theorem List.Cursor.tail_at {α : Type u_1} {n : Nat} (l : List α) (h : n < l.length) : («at» l n).tail ⋯ = «at» l (n + 1)

@[reducible, inline]

abbrev List.Cursor.pos {α✝ : Type u_1} {l : List α✝} (c : l.Cursor) : Nat

The position of the cursor in the list. It's a shortcut for the number of elements in the prefix.

Equations

• c.pos = c.prefix.length

@[simp]

theorem List.Cursor.pos_at {α : Type u_1} {l : List α} {n : Nat} (h : n < l.length) : («at» l n).pos = n

@[simp]

theorem List.Cursor.pos_mk {α : Type u_1} {l pre suff : List α} (h : pre ++ suff = l) : { «prefix» := pre, suffix := suff, property := h }.pos = pre.length

theorem List.eq_of_range'_eq_append_cons {s n step : Nat} {xs : List Nat} {cur : Nat} {ys : List Nat} (h : range' s n step = xs ++ cur :: ys) : cur = s + step * xs.length

theorem List.length_of_range'_eq_append_cons {s n step : Nat} {xs : List Nat} {cur : Nat} {ys : List Nat} (h : range' s n step = xs ++ cur :: ys) : n = xs.length + ys.length + 1

theorem List.mem_of_range'_eq_append_cons {s n step : Nat} {xs : List Nat} {i : Nat} {ys : List Nat} (h : range' s n step = xs ++ i :: ys) : i ∈ range' s n step

theorem List.gt_of_range'_eq_append_cons {s n step : Nat} {xs : List Nat} {i : Nat} {ys : List Nat} {j : Nat} (h : range' s n step = xs ++ i :: ys) (hstep : 0 < step) (hj : j ∈ xs) : j < i

theorem List.lt_of_range'_eq_append_cons {s n step : Nat} {xs : List Nat} {i : Nat} {ys : List Nat} {j : Nat} (h : range' s n step = xs ++ i :: ys) (hstep : 0 < step) (hj : j ∈ ys) : i < j

Monad

theorem Std.Do.Spec.pure' {m : Type u → Type v} {ps : PostShape} {α : Type u} {a : α} [Monad m] [WPMonad m ps] {P : Assertion ps} {Q : PostCond α ps} (h : P ⊢ₛ Q.fst a) : ⦃P⦄ Pure.pure a ⦃Q⦄

theorem Std.Do.Spec.pure {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {α : Type u} {a : α} {Q : PostCond α ps} : ⦃Q.fst a⦄ Pure.pure a ⦃Q⦄

theorem Std.Do.Spec.bind' {m : Type u → Type v} {ps : PostShape} {α β : Type u} [Monad m] [WPMonad m ps] {x : m α} {f : α → m β} {P : Assertion ps} {Q : PostCond β ps} (h : ⦃P⦄ x ⦃(fun (a : α) => wp⟦f a⟧ Q, Q.snd)⦄) : ⦃P⦄ (x >>= f) ⦃Q⦄

theorem Std.Do.Spec.bind {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {α β : Type u} {x : m α} {f : α → m β} {Q : PostCond β ps} : ⦃wp⟦x⟧ (fun (a : α) => wp⟦f a⟧ Q, Q.snd)⦄ (x >>= f) ⦃Q⦄

theorem Std.Do.Spec.map {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {α β : Type u} {x : m α} {f : α → β} {Q : PostCond β ps} : ⦃wp⟦x⟧ (fun (a : α) => Q.fst (f a), Q.snd)⦄ (f <$> x) ⦃Q⦄

theorem Std.Do.Spec.seq {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {α β : Type u} {x : m (α → β)} {y : m α} {Q : PostCond β ps} : ⦃wp⟦x⟧ (fun (f : α → β) => wp⟦y⟧ (fun (a : α) => Q.fst (f a), Q.snd), Q.snd)⦄ (x <*> y) ⦃Q⦄

MonadLift

theorem Std.Do.Spec.monadLift_StateT {m : Type u → Type v} {ps : PostShape} {α σ : Type u} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.arg σ ps)) : ⦃fun (s : σ) => wp⟦x⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadLift.monadLift x ⦃Q⦄

theorem Std.Do.Spec.monadLift_ReaderT {m : Type u → Type v} {ps : PostShape} {α ρ : Type u} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.arg ρ ps)) : ⦃fun (s : ρ) => wp⟦x⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadLift.monadLift x ⦃Q⦄

theorem Std.Do.Spec.monadLift_ExceptT {m : Type u → Type v} {ps : PostShape} {α ε : Type u} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦x⟧ (fun (a : α) => Q.fst a, Q.snd.snd)⦄ MonadLift.monadLift x ⦃Q⦄

theorem Std.Do.Spec.monadLift_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.except PUnit ps)) : ⦃wp⟦x⟧ (fun (a : α) => Q.fst a, Q.snd.snd)⦄ MonadLift.monadLift x ⦃Q⦄

MonadLiftT

MonadFunctor

theorem Std.Do.Spec.monadMap_StateT {m : Type u → Type v} {ps : PostShape} {σ : Type u} [Monad m] [WP m ps] (f : {β : Type u} → m β → m β) {α : Type u} (x : StateT σ m α) (Q : PostCond α (PostShape.arg σ ps)) : ⦃fun (s : σ) => wp⟦f (x.run s)⟧ (fun (x : α × σ) => match x with | (a, s) => Q.fst a s, Q.snd)⦄ MonadFunctor.monadMap (fun {β : Type u} => f) x ⦃Q⦄

theorem Std.Do.Spec.monadMap_ReaderT {m : Type u → Type v} {ps : PostShape} {ρ : Type u} [Monad m] [WP m ps] (f : {β : Type u} → m β → m β) {α : Type u} (x : ReaderT ρ m α) (Q : PostCond α (PostShape.arg ρ ps)) : ⦃fun (s : ρ) => wp⟦f (x.run s)⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadFunctor.monadMap (fun {β : Type u} => f) x ⦃Q⦄

theorem Std.Do.Spec.monadMap_ExceptT {m : Type u → Type v} {ps : PostShape} {ε : Type u} [Monad m] [WP m ps] (f : {β : Type u} → m β → m β) {α : Type u} (x : ExceptT ε m α) (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦f x.run⟧ (fun (e : Except ε α) => Except.casesOn e Q.snd.fst Q.fst, Q.snd.snd)⦄ MonadFunctor.monadMap (fun {β : Type u} => f) x ⦃Q⦄

theorem Std.Do.Spec.monadMap_OptionT {m : Type u → Type v} {ps : PostShape} [Monad m] [WP m ps] (f : {β : Type u} → m β → m β) {α : Type u} (x : OptionT m α) (Q : PostCond α (PostShape.except PUnit ps)) : ⦃wp⟦f x.run⟧ (fun (o : Option α) => Option.casesOn o (Q.snd.fst PUnit.unit) Q.fst, Q.snd.snd)⦄ MonadFunctor.monadMap (fun {β : Type u} => f) x ⦃Q⦄

MonadFunctorT

theorem Std.Do.Spec.monadMap_trans {m : Type u → Type v} {ps : PostShape} {o : Type u → Type u_1} {n : Type u → Type u_2} {α : Type u} {f : {β : Type u} → m β → m β} {x : o α} {Q : PostCond α ps} [WP o ps] [MonadFunctor n o] [MonadFunctorT m n] : ⦃wp⟦MonadFunctor.monadMap (fun {β : Type u} => monadMap fun {β : Type u} => f) x⟧ Q⦄ monadMap f x ⦃Q⦄

theorem Std.Do.Spec.monadMap_refl {m : Type u → Type v} {ps : PostShape} {α : Type u} {f : {β : Type u} → m β → m β} {x : m α} {Q : PostCond α ps} [WP m ps] : ⦃wp⟦f x⟧ Q⦄ monadMap f x ⦃Q⦄

MonadControl

theorem Std.Do.Spec.liftWith_StateT {m : Type u → Type v} {ps : PostShape} {σ α : Type u} {Q : PostCond α (PostShape.arg σ ps)} [Monad m] [WPMonad m ps] (f : ({β : Type u} → StateT σ m β → m (β × σ)) → m α) : ⦃fun (s : σ) => wp⟦f fun {β : Type u} (x : StateT σ m β) => x.run s⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadControl.liftWith f ⦃Q⦄

theorem Std.Do.Spec.liftWith_ReaderT {m : Type u → Type v} {ps : PostShape} {ρ α : Type u} {Q : PostCond α (PostShape.arg ρ ps)} [Monad m] [WPMonad m ps] (f : ({β : Type u} → ReaderT ρ m β → m β) → m α) : ⦃fun (s : ρ) => wp⟦f fun {β : Type u} (x : ReaderT ρ m β) => x.run s⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadControl.liftWith f ⦃Q⦄

theorem Std.Do.Spec.liftWith_ExceptT {m : Type u → Type v} {ps : PostShape} {ε α : Type u} {Q : PostCond α (PostShape.except ε ps)} [Monad m] [WPMonad m ps] (f : ({β : Type u} → ExceptT ε m β → m (Except ε β)) → m α) : ⦃wp⟦f fun {β : Type u} (x : ExceptT ε m β) => x.run⟧ (Q.fst, Q.snd.snd)⦄ MonadControl.liftWith f ⦃Q⦄

theorem Std.Do.Spec.liftWith_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} {Q : PostCond α (PostShape.except PUnit ps)} [Monad m] [WPMonad m ps] (f : ({β : Type u} → OptionT m β → m (Option β)) → m α) : ⦃wp⟦f fun {β : Type u} (x : OptionT m β) => x.run⟧ (Q.fst, Q.snd.snd)⦄ MonadControl.liftWith f ⦃Q⦄

theorem Std.Do.Spec.restoreM_StateT {m : Type u → Type v} {ps : PostShape} {α σ : Type u} {Q : PostCond α (PostShape.arg σ ps)} [Monad m] [WPMonad m ps] (x : m (α × σ)) : ⦃fun (x_1 : σ) => wp⟦x⟧ (fun (x : α × σ) => match x with | (a, s) => Q.fst a s, Q.snd)⦄ MonadControl.restoreM do let a ← x Pure.pure a ⦃Q⦄

theorem Std.Do.Spec.restoreM_ReaderT {m : Type u → Type v} {ps : PostShape} {α ρ : Type u} {Q : PostCond α (PostShape.arg ρ ps)} [Monad m] [WPMonad m ps] (x : m α) : ⦃fun (s : ρ) => wp⟦x⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadControl.restoreM x ⦃Q⦄

theorem Std.Do.Spec.restoreM_ExceptT {m : Type u → Type v} {ps : PostShape} {ε α : Type u} {Q : PostCond α (PostShape.except ε ps)} [Monad m] [WPMonad m ps] (x : m (Except ε α)) : ⦃wp⟦x⟧ (fun (e : Except ε α) => Except.casesOn e Q.snd.fst Q.fst, Q.snd.snd)⦄ MonadControl.restoreM do let a ← x Pure.pure a ⦃Q⦄

theorem Std.Do.Spec.restoreM_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} {Q : PostCond α (PostShape.except PUnit ps)} [Monad m] [WPMonad m ps] (x : m (Option α)) : ⦃wp⟦x⟧ (fun (e : Option α) => Option.casesOn e (Q.snd.fst PUnit.unit) Q.fst, Q.snd.snd)⦄ MonadControl.restoreM do let a ← x Pure.pure a ⦃Q⦄

MonadControlT

theorem Std.Do.Spec.liftWith_trans {m : Type u → Type v} {ps : PostShape} {o : Type u → Type u_1} {n : Type u → Type u_2} {α : Type u} {Q : PostCond α ps} [WP o ps] [MonadControl n o] [MonadControlT m n] (f : ({β : Type u} → o β → m (stM m o β)) → m α) : ⦃wp⟦MonadControl.liftWith fun (x₂ : {β : Type u} → o β → n (MonadControl.stM n o β)) => liftWith fun (x₁ : {β : Type u} → n β → m (stM m n β)) => f fun {β : Type u} => x₁ ∘ x₂⟧ Q⦄ liftWith f ⦃Q⦄

theorem Std.Do.Spec.liftWith_refl {m : Type u → Type v} {ps : PostShape} {α : Type u} {Q : PostCond α ps} [WP m ps] [Pure m] (f : ({β : Type u} → m β → m β) → m α) : ⦃wp⟦f fun {β : Type u} (x : m β) => x⟧ Q⦄ liftWith f ⦃Q⦄

theorem Std.Do.Spec.restoreM_trans {m : Type u → Type v} {ps : PostShape} {o : Type u → Type u_1} {n : Type u → Type u_2} {α : Type u} {Q : PostCond α ps} [WP o ps] [MonadControl n o] [MonadControlT m n] (x : stM m o α) : ⦃wp⟦MonadControl.restoreM (restoreM x)⟧ Q⦄ restoreM x ⦃Q⦄

theorem Std.Do.Spec.restoreM_refl {m : Type u → Type v} {ps : PostShape} {α : Type u} {Q : PostCond α ps} [WP m ps] [Pure m] (x : stM m m α) : ⦃wp⟦Pure.pure x⟧ Q⦄ restoreM x ⦃Q⦄

ReaderT

theorem Std.Do.Spec.read_ReaderT {m : Type u → Type v} {psm : PostShape} {ρ : Type u} {Q : PostCond ρ (PostShape.arg ρ psm)} [Monad m] [WPMonad m psm] : ⦃fun (r : ρ) => Q.fst r r⦄ MonadReaderOf.read ⦃Q⦄

theorem Std.Do.Spec.withReader_ReaderT {m : Type u → Type v} {psm : PostShape} {ρ α : Type u} {f : ρ → ρ} {x : ReaderT ρ m α} {Q : PostCond α (PostShape.arg ρ psm)} [WP m psm] : ⦃fun (r : ρ) => wp⟦x⟧ (fun (a : α) (x : ρ) => Q.fst a r, Q.snd) (f r)⦄ MonadWithReaderOf.withReader f x ⦃Q⦄

theorem Std.Do.Spec.adapt_ReaderT {m : Type u → Type v} {ps : PostShape} {ρ ρ' α : Type u} {x : ReaderT ρ' m α} {Q : PostCond α (PostShape.arg ρ ps)} [WP m ps] (f : ρ → ρ') : ⦃fun (r : ρ) => wp⟦x⟧ (fun (a : α) (x : ρ') => Q.fst a r, Q.snd) (f r)⦄ ReaderT.adapt f x ⦃Q⦄

StateT

theorem Std.Do.Spec.get_StateT {m : Type u → Type v} {psm : PostShape} {σ : Type u} {Q : PostCond σ (PostShape.arg σ psm)} [Monad m] [WPMonad m psm] : ⦃fun (s : σ) => Q.fst s s⦄ MonadStateOf.get ⦃Q⦄

theorem Std.Do.Spec.set_StateT {m : Type u → Type v} {psm : PostShape} {σ : Type u} {s : σ} {Q : PostCond PUnit (PostShape.arg σ psm)} [Monad m] [WPMonad m psm] : ⦃fun (x : σ) => Q.fst PUnit.unit s⦄ set s ⦃Q⦄

theorem Std.Do.Spec.modifyGet_StateT {m : Type u → Type v} {ps : PostShape} {σ α : Type u} {f : σ → α × σ} {Q : PostCond α (PostShape.arg σ ps)} [Monad m] [WPMonad m ps] : ⦃fun (s : σ) => have t := f s; Q.fst t.fst t.snd⦄ MonadStateOf.modifyGet f ⦃Q⦄

ExceptT

theorem Std.Do.Spec.run_ExceptT {m : Type u → Type v} {ps : PostShape} {ε α : Type u} {Q : PostCond (Except ε α) ps} [WP m ps] (x : ExceptT ε m α) : ⦃wp⟦x⟧ (fun (a : α) => Q.fst (Except.ok a), fun (e : ε) => Q.fst (Except.error e), Q.snd)⦄ x.run ⦃Q⦄

theorem Std.Do.Spec.throw_ExceptT {m : Type u → Type v} {ps : PostShape} {ε α : Type u} {e : ε} {Q : PostCond α (PostShape.except ε ps)} [Monad m] [WPMonad m ps] : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_ExceptT {m : Type u → Type v} {ps : PostShape} {α ε : Type u} {x : ExceptT ε m α} {h : ε → ExceptT ε m α} [Monad m] [WPMonad m ps] (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦x⟧ (Q.fst, fun (e : ε) => wp⟦h e⟧ Q, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.orElse_ExceptT {m : Type u → Type v} {ps : PostShape} {α ε : Type u} {x : ExceptT ε m α} {h : Unit → ExceptT ε m α} [Monad m] [WPMonad m ps] (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦x⟧ (Q.fst, fun (x : ε) => wp⟦h ()⟧ Q, Q.snd.snd)⦄ OrElse.orElse x h ⦃Q⦄

theorem Std.Do.Spec.adapt_ExceptT {m : Type u → Type v} {ps : PostShape} {ε ε' α : Type u} {x : ExceptT ε m α} [Monad m] [WPMonad m ps] (f : ε → ε') (Q : PostCond α (PostShape.except ε' ps)) : ⦃wp⟦x⟧ (Q.fst, fun (e : ε) => Q.snd.fst (f e), Q.snd.snd)⦄ ExceptT.adapt f x ⦃Q⦄

Except

theorem Std.Do.Spec.throw_Except {m : Type u → Type v} {ps : PostShape} {ε α : Type u_1} {e : ε} {Q : PostCond α (PostShape.except ε PostShape.pure)} [Monad m] [WPMonad m ps] : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_Except {α ε : Type u_1} {x : Except ε α} {h : ε → Except ε α} (Q : PostCond α (PostShape.except ε PostShape.pure)) : ⦃wp⟦x⟧ (Q.fst, fun (e : ε) => wp⟦h e⟧ Q, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.orElse_Except {α ε : Type u_1} {x : Except ε α} {h : Unit → Except ε α} (Q : PostCond α (PostShape.except ε PostShape.pure)) : ⦃wp⟦x⟧ (Q.fst, fun (x : ε) => wp⟦h ()⟧ Q, Q.snd.snd)⦄ OrElse.orElse x h ⦃Q⦄

OptionT

theorem Std.Do.Spec.run_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} {Q : PostCond (Option α) ps} [WP m ps] (x : OptionT m α) : ⦃wp⟦x⟧ (fun (a : α) => Q.fst (some a), fun (x : PUnit) => Q.fst none, Q.snd)⦄ x.run ⦃Q⦄

theorem Std.Do.Spec.throw_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} {e : PUnit} {Q : PostCond α (PostShape.except PUnit ps)} [Monad m] [WPMonad m ps] : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} {x : OptionT m α} {h : PUnit → OptionT m α} [Monad m] [WPMonad m ps] (Q : PostCond α (PostShape.except PUnit ps)) : ⦃wp⟦x⟧ (Q.fst, fun (e : PUnit) => wp⟦h e⟧ Q, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.orElse_OptionT {m : Type u → Type v} {ps : PostShape} {α : Type u} {x : OptionT m α} {h : Unit → OptionT m α} [Monad m] [WPMonad m ps] (Q : PostCond α (PostShape.except PUnit ps)) : ⦃wp⟦x⟧ (Q.fst, fun (x : PUnit) => wp⟦h ()⟧ Q, Q.snd.snd)⦄ OrElse.orElse x h ⦃Q⦄

Option

theorem Std.Do.Spec.throw_Option {m : Type u → Type v} {ps : PostShape} {α : Type} {e : PUnit} {Q : PostCond α (PostShape.except PUnit PostShape.pure)} [Monad m] [WPMonad m ps] : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_Option {α : Type} {x : Option α} {h : PUnit → Option α} (Q : PostCond α (PostShape.except PUnit PostShape.pure)) : ⦃wp⟦x⟧ (Q.fst, fun (e : PUnit) => wp⟦h e⟧ Q, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.orElse_Option {α : Type u_1} {x : Option α} {h : Unit → Option α} (Q : PostCond α (PostShape.except PUnit PostShape.pure)) : ⦃wp⟦x⟧ (Q.fst, fun (x : PUnit) => wp⟦h ()⟧ Q, Q.snd.snd)⦄ OrElse.orElse x h ⦃Q⦄

EStateM

theorem Std.Do.Spec.get_EStateM {ε σ : Type u_1} {Q : PostCond σ (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃fun (s : σ) => Q.fst s s⦄ MonadStateOf.get ⦃Q⦄

theorem Std.Do.Spec.set_EStateM {ε σ : Type} {s : σ} {Q : PostCond PUnit (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃fun (x : σ) => Q.fst () s⦄ set s ⦃Q⦄

theorem Std.Do.Spec.modifyGet_EStateM {ε σ α : Type u_1} {f : σ → α × σ} {Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃fun (s : σ) => have t := f s; Q.fst t.fst t.snd⦄ MonadStateOf.modifyGet f ⦃Q⦄

theorem Std.Do.Spec.throw_EStateM {ε σ α : Type u_1} {e : ε} {Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_EStateM {α ε σ : Type u_1} {x : EStateM ε σ α} {h : ε → EStateM ε σ α} (Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))) : ⦃fun (s : σ) => wp⟦x⟧ (Q.fst, fun (e : ε) (s' : σ) => wp⟦h e⟧ Q (EStateM.Backtrackable.restore s' (EStateM.Backtrackable.save s)), Q.snd.snd) s⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.orElse_EStateM {α ε σ : Type u_1} {x : EStateM ε σ α} {h : Unit → EStateM ε σ α} (Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))) : ⦃fun (s : σ) => wp⟦x⟧ (Q.fst, fun (x : ε) (s' : σ) => wp⟦h ()⟧ Q (EStateM.Backtrackable.restore s' (EStateM.Backtrackable.save s)), Q.snd.snd) s⦄ OrElse.orElse x h ⦃Q⦄

theorem Std.Do.Spec.adaptExcept_EStateM {ε ε' α σ : Type u_1} {x : EStateM ε σ α} (f : ε → ε') (Q : PostCond α (PostShape.except ε' (PostShape.arg σ PostShape.pure))) : ⦃wp⟦x⟧ (Q.fst, fun (e : ε) => Q.snd.fst (f e), Q.snd.snd)⦄ EStateM.adaptExcept f x ⦃Q⦄

Lifting MonadStateOf

Lifting MonadReaderOf

Lifting MonadExceptOf

theorem Std.Do.Spec.throw_MonadExcept {m : Type u → Type v} {ε : Type u_1} {α : Type u} {e : ε} {ps✝ : PostShape} {Q : PostCond α ps✝} [MonadExceptOf ε m] [WP m ps✝] : ⦃wp⟦MonadExceptOf.throw e⟧ Q⦄ throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_MonadExcept {m : Type u → Type v} {ps : PostShape} {ε : Type u_1} {α : Type u} {x : m α} {h : ε → m α} [MonadExceptOf ε m] [WP m ps] (Q : PostCond α ps) : ⦃wp⟦MonadExceptOf.tryCatch x h⟧ Q⦄ tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.throw_ReaderT {m : Type u → Type v} {sh : PostShape} {ε : Type u_1} {ρ α : Type u} {e : ε} {Q : PostCond α (PostShape.arg ρ sh)} [WP m sh] [MonadExceptOf ε m] : ⦃wp⟦MonadLift.monadLift (MonadExceptOf.throw e)⟧ Q⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.throw_StateT {m : Type u → Type v} {ps : PostShape} {ε : Type u_1} {α σ : Type u} {e : ε} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.arg σ ps)) : ⦃wp⟦MonadLift.monadLift (MonadExceptOf.throw e)⟧ Q⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.throw_ExceptT_lift {m : Type u → Type v} {ps : PostShape} {ε α ε' : Type u} {e : ε} [WP m ps] [MonadExceptOf ε m] (Q : PostCond α (PostShape.except ε' ps)) : ⦃wp⟦MonadExceptOf.throw e⟧ (fun (e : Except ε' α) => Except.casesOn e Q.snd.fst Q.fst, Q.snd.snd)⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.throw_Option_lift {m : Type u → Type v} {ps : PostShape} {ε α : Type u} {e : ε} [WP m ps] [MonadExceptOf ε m] (Q : PostCond α (PostShape.except PUnit ps)) : ⦃wp⟦MonadExceptOf.throw e⟧ (fun (o : Option α) => Option.casesOn o (Q.snd.fst PUnit.unit) Q.fst, Q.snd.snd)⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_ReaderT {m : Type u → Type v} {ps : PostShape} {ε : Type u_1} {α ρ : Type u} {x : ReaderT ρ m α} {h : ε → ReaderT ρ m α} [WP m ps] [MonadExceptOf ε m] (Q : PostCond α (PostShape.arg ρ ps)) : ⦃fun (r : ρ) => wp⟦MonadExceptOf.tryCatch (x.run r) fun (e : ε) => (h e).run r⟧ (fun (a : α) => Q.fst a r, Q.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.tryCatch_StateT {m : Type u → Type v} {ps : PostShape} {ε : Type u_1} {α σ : Type u} {x : StateT σ m α} {h : ε → StateT σ m α} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.arg σ ps)) : ⦃fun (s : σ) => wp⟦MonadExceptOf.tryCatch (x.run s) fun (e : ε) => (h e).run s⟧ (fun (xs : α × σ) => Q.fst xs.fst xs.snd, Q.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.tryCatch_ExceptT_lift {m : Type u → Type v} {ps : PostShape} {ε α ε' : Type u} {x : ExceptT ε' m α} {h : ε → ExceptT ε' m α} [WP m ps] [MonadExceptOf ε m] (Q : PostCond α (PostShape.except ε' ps)) : ⦃wp⟦MonadExceptOf.tryCatch x h⟧ (fun (e : Except ε' α) => Except.casesOn e Q.snd.fst Q.fst, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.tryCatch_OptionT_lift {m : Type u → Type v} {ps : PostShape} {ε α : Type u} {x : OptionT m α} {h : ε → OptionT m α} [WP m ps] [MonadExceptOf ε m] (Q : PostCond α (PostShape.except PUnit ps)) : ⦃wp⟦MonadExceptOf.tryCatch x h⟧ (fun (o : Option α) => Option.casesOn o (Q.snd.fst PUnit.unit) Q.fst, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

Lifting OrElse

ForIn

@[reducible, inline]

abbrev Std.Do.Invariant {α : Type u₁} (xs : List α) (β : Type u₂) (ps : PostShape) : Type (max u₂ u₁)

The type of loop invariants used by the specifications of for ... in ... loops. A loop invariant is a PostCond that takes as parameters

• A List.Cursor xs representing the iteration state of the loop. It is parameterized by the list of elements xs that the for loop iterates over.
• A state tuple of type β, which will be a nesting of MProds representing the elaboration of let mut variables and early return.

The loop specification lemmas will use this in the following way: Before entering the loop, the cursor's prefix is empty and the suffix is xs. After leaving the loop, the cursor's prefix is xs and the suffix is empty. During the induction step, the invariant holds for a suffix with head element x. After running the loop body, the invariant then holds after shifting x to the prefix.

Equations

• Std.Do.Invariant xs β ps = Std.Do.PostCond (xs.Cursor × β) ps

@[reducible, inline]

abbrev Std.Do.Invariant.withEarlyReturn {β : Type (max u₁ u₂)} {ps : PostShape} {α✝ : Type (max u₁ u₂)} {xs : List α✝} {γ : Type (max u₁ u₂)} (onContinue : xs.Cursor → β → Assertion ps) (onReturn : γ → β → Assertion ps) (onExcept : ExceptConds ps := ExceptConds.false) : Invariant xs (MProd (Option γ) β) ps

Helper definition for specifying loop invariants for loops with early return.

for ... in ... loops with early return of type γ elaborate to a call like this:

forIn (β := MProd (Option γ) ...) (b := ⟨none, ...⟩) collection loopBody

Note that the first component of the MProd state tuple is the optional early return value. It is none as long as there was no early return and some r if the loop returned early with r.

This function allows to specify different invariants for the loop body depending on whether the loop terminated early or not. When there was an early return, the loop has effectively finished, which is encoded by the additional ⌜xs.suffix = []⌝ assertion in the invariant. This assertion is vital for successfully proving the induction step, as it contradicts with the assumption that xs.suffix = x::rest of the inductive hypothesis at the start of the loop body, meaning that users won't need to prove anything about the bogus case where the loop has returned early yet takes another iteration of the loop body.

Equations

• One or more equations did not get rendered due to their size.

theorem Std.Do.Spec.forIn'_list {α : Type u₁} {β : Type (max u₁ u₂)} {m : Type (max u₁ u₂) → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_list_const_inv {α : Type u₁} {β : Type (max u₁ u₂)} {m : Type (max u₁ u₂) → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} {inv : PostCond β ps} (step : ∀ (x : α) (hx : x ∈ xs) (b : β), ⦃inv.fst b⦄ f x hx b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst b' | ForInStep.done b' => inv.fst b', inv.snd)⦄) : ⦃inv.fst init⦄ forIn' xs init f ⦃inv⦄

theorem Std.Do.Spec.forIn_list {α : Type u₁} {β : Type (max u₁ u₂)} {m : Type (max u₁ u₂) → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_list_const_inv {α : Type u₁} {β : Type (max u₁ u₂)} {m : Type (max u₁ u₂) → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : α → β → m (ForInStep β)} {inv : PostCond β ps} (step : ∀ (hd : α) (b : β), ⦃inv.fst b⦄ f hd b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst b' | ForInStep.done b' => inv.fst b', inv.snd)⦄) : ⦃inv.fst init⦄ forIn xs init f ⦃inv⦄

theorem Std.Do.Spec.foldlM_list {α : Type u₁} {β : Type (max u₁ u₂)} {m : Type (max u₁ u₂) → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : β → α → m β} (inv : Invariant xs β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f b cur ⦃(fun (b' : β) => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs, property := ⋯ }, init)⦄ List.foldlM f init xs ⦃(fun (b : β) => inv.fst ({ «prefix» := xs, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.foldlM_list_const_inv {α : Type u₁} {β : Type (max u₁ u₂)} {m : Type (max u₁ u₂) → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : β → α → m β} {inv : PostCond β ps} (step : ∀ (hd : α) (b : β), ⦃inv.fst b⦄ f b hd ⦃(fun (b' : β) => inv.fst b', inv.snd)⦄) : ⦃inv.fst init⦄ List.foldlM f init xs ⦃inv⦄

theorem Std.Do.Spec.forIn'_range {β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Range} {init : β} {f : (a : Nat) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List Nat) (cur : Nat) (suff : List Nat) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_range {β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Range} {init : β} {f : Nat → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List Nat) (cur : Nat) (suff : List Nat) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_rcc {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [DecidableLE α] [PRange.UpwardEnumerable α] [Rxc.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] {xs : Rcc α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_rcc {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [DecidableLE α] [PRange.UpwardEnumerable α] [Rxc.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] {xs : Rcc α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_rco {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxo.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] [PRange.LawfulUpwardEnumerableLT α] {xs : Rco α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_rco {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxo.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] [PRange.LawfulUpwardEnumerableLT α] {xs : Rco α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_rci {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [PRange.UpwardEnumerable α] [Rxi.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] {xs : Rci α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_rci {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [PRange.UpwardEnumerable α] [Rxi.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] {xs : Rci α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_roc {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [DecidableLE α] [LT α] [PRange.UpwardEnumerable α] [Rxc.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] [PRange.LawfulUpwardEnumerableLT α] {xs : Roc α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_roc {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LE α] [DecidableLE α] [LT α] [PRange.UpwardEnumerable α] [Rxc.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLE α] [PRange.LawfulUpwardEnumerableLT α] {xs : Roc α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_roo {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxo.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLT α] {xs : Roo α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_roo {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxo.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLT α] {xs : Roo α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_roi {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxi.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLT α] {xs : Roi α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_roi {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxi.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLT α] {xs : Roi α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_ric {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [PRange.Least? α] [LE α] [DecidableLE α] [PRange.UpwardEnumerable α] [Rxc.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLeast? α] [PRange.LawfulUpwardEnumerableLE α] {xs : Ric α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_ric {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [PRange.Least? α] [LE α] [DecidableLE α] [PRange.UpwardEnumerable α] [Rxc.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLeast? α] [PRange.LawfulUpwardEnumerableLE α] {xs : Ric α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_rio {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [PRange.Least? α] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxo.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLeast? α] [PRange.LawfulUpwardEnumerableLT α] {xs : Rio α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_rio {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [PRange.Least? α] [LT α] [DecidableLT α] [PRange.UpwardEnumerable α] [Rxo.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLeast? α] [PRange.LawfulUpwardEnumerableLT α] {xs : Rio α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_rii {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [PRange.Least? α] [PRange.UpwardEnumerable α] [Rxi.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLeast? α] {xs : Rii α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_rii {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] [PRange.Least? α] [PRange.UpwardEnumerable α] [Rxi.IsAlwaysFinite α] [PRange.LawfulUpwardEnumerable α] [PRange.LawfulUpwardEnumerableLeast? α] {xs : Rii α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_slice {m : Type w → Type x} {ps : PostShape} [Monad m] [WPMonad m ps] {γ : Type u} {α β : Type w} [LawfulMonad m] {δ : Type w} [Iterators.ToIterator (Slice γ) Id α β] [Iterators.Iterator α Id β] [Iterators.IteratorLoop α Id m] [Iterators.LawfulIteratorLoop α Id m] [Iterators.IteratorCollect α Id Id] [Iterators.LawfulIteratorCollect α Id Id] [Iterators.Finite α Id] {init : δ} {f : β → δ → m (ForInStep δ)} {xs : Slice γ} (inv : Invariant xs.toList δ ps) (step : ∀ (pref : List β) (cur : β) (suff : List β) (h : xs.toList = pref ++ cur :: suff) (b : δ), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep δ) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : δ) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn'_array {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Array α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur ⋯ b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.forIn_array {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Array α} {init : β} {f : α → β → m (ForInStep β)} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f cur b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b') | ForInStep.done b' => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ forIn xs init f ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄

theorem Std.Do.Spec.foldlM_array {α β : Type u} {m : Type u → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Array α} {init : β} {f : β → α → m β} (inv : Invariant xs.toList β ps) (step : ∀ (pref : List α) (cur : α) (suff : List α) (h : xs.toList = pref ++ cur :: suff) (b : β), ⦃inv.fst ({ «prefix» := pref, suffix := cur :: suff, property := ⋯ }, b)⦄ f b cur ⦃(fun (b' : β) => inv.fst ({ «prefix» := pref ++ [cur], suffix := suff, property := ⋯ }, b'), inv.snd)⦄) : ⦃inv.fst ({ «prefix» := [], suffix := xs.toList, property := ⋯ }, init)⦄ Array.foldlM f init xs ⦃(fun (b : β) => inv.fst ({ «prefix» := xs.toList, suffix := [], property := ⋯ }, b), inv.snd)⦄