Hoare triple specifications for select functions

This module contains Hoare triple specifications for some functions in Core.

@[reducible, inline]

abbrev Std.Range.toList (r : Range) : List Nat

Equations

• r.toList = List.range' r.start ((r.stop - r.start + r.step - 1) / r.step) r.step

theorem Std.Range.toList_range' (r : Range) (h : r.step = 1) : r.toList = List.range' r.start (r.stop - r.start)

structure Std.List.Zipper {α : Type u} (l : List α) : Type u

• rpref : List α
• suff : List α
• property : self.rpref.reverse ++ self.suff = l

theorem Std.List.Zipper.ext_iff {α : Type u} {l : List α} {x y : Zipper l} : x = y ↔ x.rpref = y.rpref ∧ x.suff = y.suff

theorem Std.List.Zipper.ext {α : Type u} {l : List α} {x y : Zipper l} (rpref : x.rpref = y.rpref) (suff : x.suff = y.suff) : x = y

@[reducible, inline]

abbrev Std.List.Zipper.pref {α : Type u_1} {l : List α} (s : Zipper l) : List α

Equations

• s.pref = s.rpref.reverse

@[reducible, inline]

abbrev Std.List.Zipper.begin {α : Type u_1} (l : List α) : Zipper l

Equations

• Std.List.Zipper.begin l = { rpref := [], suff := l, property := ⋯ }

@[reducible, inline]

abbrev Std.List.Zipper.end {α : Type u_1} (l : List α) : Zipper l

Equations

• Std.List.Zipper.end l = { rpref := l.reverse, suff := [], property := ⋯ }

@[reducible, inline]

abbrev Std.List.Zipper.tail {α✝ : Type u_1} {l : List α✝} {hd : α✝} {tl : List α✝} (s : Zipper l) (h : s.suff = hd :: tl) : Zipper l

Equations

• s.tail h = { rpref := hd :: s.rpref, suff := tl, property := ⋯ }

If/Then/Else

theorem Std.Do.Spec.ite {α : Type} {m : Type → Type u_1} {ps : PostShape} {P : Assertion ps} {Q : PostCond α ps} (c : Prop) [Decidable c] [WP m ps] (t e : m α) (ifTrue : c → ⦃P⦄ t ⦃Q⦄) (ifFalse : ¬c → ⦃P⦄ e ⦃Q⦄) : ⦃P⦄ if c then t else e ⦃Q⦄

theorem Std.Do.Spec.dite {α : Type} {m : Type → Type u_1} {ps : PostShape} {P : Assertion ps} {Q : PostCond α ps} (c : Prop) [Decidable c] [WP m ps] (t : c → m α) (e : ¬c → m α) (ifTrue : ∀ (h : c), ⦃P⦄ t h ⦃Q⦄) (ifFalse : ∀ (h : ¬c), ⦃P⦄ e h ⦃Q⦄) : ⦃P⦄ if h : c then t h else e h ⦃Q⦄

Monad

theorem Std.Do.Spec.pure' {m : Type → Type u} {ps : PostShape} {α : Type} {a : α} [Monad m] [WPMonad m ps] {P : Assertion ps} {Q : PostCond α ps} (h : P ⊢ₛ Q.fst a) : ⦃P⦄ Pure.pure a ⦃Q⦄

theorem Std.Do.Spec.pure {m : Type → Type u} {ps : PostShape} [Monad m] [WPMonad m ps] {α : Type} {a : α} {Q : PostCond α ps} : ⦃Q.fst a⦄ Pure.pure a ⦃Q⦄

theorem Std.Do.Spec.bind' {m : Type → Type u} {ps : PostShape} {α β : Type} [Monad m] [WPMonad m ps] {x : m α} {f : α → m β} {P : Assertion ps} {Q : PostCond β ps} (h : ⦃P⦄ x ⦃(fun (a : α) => wp⟦f a⟧ Q, Q.snd)⦄) : ⦃P⦄ (x >>= f) ⦃Q⦄

theorem Std.Do.Spec.bind {m : Type → Type u} {ps : PostShape} [Monad m] [WPMonad m ps] {α β : Type} {x : m α} {f : α → m β} {Q : PostCond β ps} : ⦃wp⟦x⟧ (fun (a : α) => wp⟦f a⟧ Q, Q.snd)⦄ (x >>= f) ⦃Q⦄

theorem Std.Do.Spec.map {m : Type → Type u} {ps : PostShape} [Monad m] [WPMonad m ps] {α β : Type} {x : m α} {f : α → β} {Q : PostCond β ps} : ⦃wp⟦x⟧ (fun (a : α) => Q.fst (f a), Q.snd)⦄ (f <$> x) ⦃Q⦄

theorem Std.Do.Spec.seq {m : Type → Type u} {ps : PostShape} [Monad m] [WPMonad m ps] {α β : Type} {x : m (α → β)} {y : m α} {Q : PostCond β ps} : ⦃wp⟦x⟧ (fun (f : α → β) => wp⟦y⟧ (fun (a : α) => Q.fst (f a), Q.snd), Q.snd)⦄ (x <*> y) ⦃Q⦄

MonadLift

theorem Std.Do.Spec.monadLift_StateT {m : Type → Type u} {ps : PostShape} {α σ : Type} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.arg σ ps)) : ⦃fun (s : σ) => wp⟦x⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadLift.monadLift x ⦃Q⦄

theorem Std.Do.Spec.monadLift_ReaderT {m : Type → Type u} {ps : PostShape} {α ρ : Type} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.arg ρ ps)) : ⦃fun (s : ρ) => wp⟦x⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadLift.monadLift x ⦃Q⦄

theorem Std.Do.Spec.monadLift_ExceptT {m : Type → Type u} {ps : PostShape} {α ε : Type} [Monad m] [WPMonad m ps] (x : m α) (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦x⟧ (fun (a : α) => Q.fst a, Q.snd.snd)⦄ MonadLift.monadLift x ⦃Q⦄

MonadLiftT

MonadFunctor

theorem Std.Do.Spec.monadMap_StateT {m : Type → Type u} {ps : PostShape} {σ : Type} [Monad m] [WP m ps] (f : {β : Type} → m β → m β) {α : Type} (x : StateT σ m α) (Q : PostCond α (PostShape.arg σ ps)) : ⦃fun (s : σ) => wp⟦f (x.run s)⟧ (fun (x : α × σ) => match x with | (a, s) => Q.fst a s, Q.snd)⦄ MonadFunctor.monadMap (fun {β : Type} => f) x ⦃Q⦄

theorem Std.Do.Spec.monadMap_ReaderT {m : Type → Type u} {ps : PostShape} {ρ : Type} [Monad m] [WP m ps] (f : {β : Type} → m β → m β) {α : Type} (x : ReaderT ρ m α) (Q : PostCond α (PostShape.arg ρ ps)) : ⦃fun (s : ρ) => wp⟦f (x.run s)⟧ (fun (a : α) => Q.fst a s, Q.snd)⦄ MonadFunctor.monadMap (fun {β : Type} => f) x ⦃Q⦄

theorem Std.Do.Spec.monadMap_ExceptT {m : Type → Type u} {ps : PostShape} {ε : Type} [Monad m] [WP m ps] (f : {β : Type} → m β → m β) {α : Type} (x : ExceptT ε m α) (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦f x.run⟧ (fun (x : Except ε α) => match x with | Except.ok a => Q.fst a | Except.error e => Q.snd.fst e, Q.snd.snd)⦄ MonadFunctor.monadMap (fun {β : Type} => f) x ⦃Q⦄

MonadFunctorT

theorem Std.Do.Spec.monadMap_trans {m : Type → Type u} {ps : PostShape} {o : Type → Type u_1} {n : Type → Type u_2} {α : Type} {f : {β : Type} → m β → m β} {x : o α} {Q : PostCond α ps} [WP o ps] [MonadFunctor n o] [MonadFunctorT m n] : ⦃wp⟦MonadFunctor.monadMap (fun {β : Type} => monadMap fun {β : Type} => f) x⟧ Q⦄ monadMap f x ⦃Q⦄

theorem Std.Do.Spec.monadMap_refl {m : Type → Type u} {ps : PostShape} {α : Type} {f : {β : Type} → m β → m β} {x : m α} {Q : PostCond α ps} [WP m ps] : ⦃wp⟦f x⟧ Q⦄ monadMap f x ⦃Q⦄

ReaderT

theorem Std.Do.Spec.read_ReaderT {m : Type → Type u} {psm : PostShape} {ρ : Type} {Q : PostCond ρ (PostShape.arg ρ psm)} [Monad m] [WPMonad m psm] : ⦃fun (r : ρ) => Q.fst r r⦄ MonadReaderOf.read ⦃Q⦄

theorem Std.Do.Spec.withReader_ReaderT {m : Type → Type u} {psm : PostShape} {ρ α : Type} {f : ρ → ρ} {x : ReaderT ρ m α} {Q : PostCond α (PostShape.arg ρ psm)} [Monad m] [WPMonad m psm] : ⦃fun (r : ρ) => wp⟦x⟧ (fun (a : α) (x : ρ) => Q.fst a r, Q.snd) (f r)⦄ MonadWithReaderOf.withReader f x ⦃Q⦄

StateT

theorem Std.Do.Spec.get_StateT {m : Type → Type u} {psm : PostShape} {σ : Type} {Q : PostCond σ (PostShape.arg σ psm)} [Monad m] [WPMonad m psm] : ⦃fun (s : σ) => Q.fst s s⦄ MonadStateOf.get ⦃Q⦄

theorem Std.Do.Spec.set_StateT {m : Type → Type u} {psm : PostShape} {σ : Type} {s : σ} {Q : PostCond PUnit (PostShape.arg σ psm)} [Monad m] [WPMonad m psm] : ⦃fun (x : σ) => Q.fst () s⦄ set s ⦃Q⦄

theorem Std.Do.Spec.modifyGet_StateT {m : Type → Type u} {ps : PostShape} {σ α : Type} {f : σ → α × σ} {Q : PostCond α (PostShape.arg σ ps)} [Monad m] [WPMonad m ps] : ⦃fun (s : σ) => Q.fst (f s).fst (f s).snd⦄ MonadStateOf.modifyGet f ⦃Q⦄

ExceptT

theorem Std.Do.Spec.run_ExceptT {m : Type → Type u} {ps : PostShape} {ε α : Type} {Q : PostCond (Except ε α) ps} [WP m ps] (x : ExceptT ε m α) : ⦃wp⟦x⟧ (fun (a : α) => Q.fst (Except.ok a), fun (e : ε) => Q.fst (Except.error e), Q.snd)⦄ x.run ⦃Q⦄

theorem Std.Do.Spec.throw_ExceptT {m : Type → Type u} {ps : PostShape} {ε α : Type} {e : ε} {Q : PostCond α (PostShape.except ε ps)} [Monad m] [WPMonad m ps] : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_ExceptT {m : Type → Type u} {ps : PostShape} {α ε : Type} {x : ExceptT ε m α} {h : ε → ExceptT ε m α} [Monad m] [WPMonad m ps] (Q : PostCond α (PostShape.except ε ps)) : ⦃wp⟦x⟧ (Q.fst, fun (e : ε) => wp⟦h e⟧ Q, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

Except

theorem Std.Do.Spec.throw_Except {m : Type → Type u} {ps : PostShape} {ε α : Type} {e : ε} {Q : PostCond α (PostShape.except ε PostShape.pure)} [Monad m] [WPMonad m ps] : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_Except {α ε : Type} {x : Except ε α} {h : ε → Except ε α} (Q : PostCond α (PostShape.except ε PostShape.pure)) : ⦃wp⟦x⟧ (Q.fst, fun (e : ε) => wp⟦h e⟧ Q, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

EStateM

theorem Std.Do.Spec.get_EStateM {ε σ : Type} {Q : PostCond σ (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃fun (s : σ) => Q.fst s s⦄ MonadStateOf.get ⦃Q⦄

theorem Std.Do.Spec.set_EStateM {ε σ : Type} {s : σ} {Q : PostCond PUnit (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃fun (x : σ) => Q.fst () s⦄ set s ⦃Q⦄

theorem Std.Do.Spec.modifyGet_EStateM {ε σ α : Type} {f : σ → α × σ} {Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃fun (s : σ) => Q.fst (f s).fst (f s).snd⦄ MonadStateOf.modifyGet f ⦃Q⦄

theorem Std.Do.Spec.throw_EStateM {ε σ α : Type} {e : ε} {Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))} : ⦃Q.snd.fst e⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_EStateM {α ε σ : Type} {x : EStateM ε σ α} {h : ε → EStateM ε σ α} (Q : PostCond α (PostShape.except ε (PostShape.arg σ PostShape.pure))) : ⦃fun (s : σ) => wp⟦x⟧ (Q.fst, fun (e : ε) (s' : σ) => wp⟦h e⟧ Q (EStateM.Backtrackable.restore s' (EStateM.Backtrackable.save s)), Q.snd.snd) s⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

Lifting MonadStateOf

Lifting MonadReaderOf

Lifting MonadExceptOf

theorem Std.Do.Spec.throw_MonadExcept {m : Type → Type u} {ε : Type u_1} {α : Type} {e : ε} {s✝ : PostShape} {Q : PostCond α s✝} [MonadExceptOf ε m] [WP m s✝] : ⦃wp⟦MonadExceptOf.throw e⟧ Q⦄ throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_MonadExcept {m : Type → Type u} {ps : PostShape} {ε : Type u_1} {α : Type} {x : m α} {h : ε → m α} [MonadExceptOf ε m] [WP m ps] (Q : PostCond α ps) : ⦃wp⟦MonadExceptOf.tryCatch x h⟧ Q⦄ tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.throw_ReaderT {m : Type → Type u} {sh : PostShape} {ε : Type u_1} {ρ α : Type} {e : ε} {Q : PostCond α (PostShape.arg ρ sh)} [WP m sh] [Monad m] [MonadExceptOf ε m] : ⦃wp⟦MonadLift.monadLift (MonadExceptOf.throw e)⟧ Q⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.throw_StateT {m : Type → Type u} {ps : PostShape} {ε : Type u_1} {α σ : Type} {e : ε} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.arg σ ps)) : ⦃wp⟦MonadLift.monadLift (MonadExceptOf.throw e)⟧ Q⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.throw_ExceptT_lift {m : Type → Type u} {ps : PostShape} {ε α ε' : Type} {e : ε} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.except ε' ps)) : ⦃wp⟦MonadExceptOf.throw e⟧ (fun (x : Except ε' α) => match x with | Except.ok a => Q.fst a | Except.error e => Q.snd.fst e, Q.snd.snd)⦄ MonadExceptOf.throw e ⦃Q⦄

theorem Std.Do.Spec.tryCatch_ReaderT {m : Type → Type u} {ps : PostShape} {ε : Type u_1} {α ρ : Type} {x : ReaderT ρ m α} {h : ε → ReaderT ρ m α} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.arg ρ ps)) : ⦃fun (r : ρ) => wp⟦MonadExceptOf.tryCatch (x.run r) fun (e : ε) => (h e).run r⟧ (fun (a : α) => Q.fst a r, Q.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.tryCatch_StateT {m : Type → Type u} {ps : PostShape} {ε : Type u_1} {α σ : Type} {x : StateT σ m α} {h : ε → StateT σ m α} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.arg σ ps)) : ⦃fun (s : σ) => wp⟦MonadExceptOf.tryCatch (x.run s) fun (e : ε) => (h e).run s⟧ (fun (xs : α × σ) => Q.fst xs.fst xs.snd, Q.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

theorem Std.Do.Spec.tryCatch_ExceptT_lift {m : Type → Type u} {ps : PostShape} {ε α ε' : Type} {x : ExceptT ε' m α} {h : ε → ExceptT ε' m α} [WP m ps] [Monad m] [MonadExceptOf ε m] (Q : PostCond α (PostShape.except ε' ps)) : ⦃wp⟦MonadExceptOf.tryCatch x h⟧ (fun (x : Except ε' α) => match x with | Except.ok a => Q.fst a | Except.error e => Q.snd.fst e, Q.snd.snd)⦄ MonadExceptOf.tryCatch x h ⦃Q⦄

ForIn

theorem Std.Do.Spec.forIn'_list {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : PostCond (β × List.Zipper xs) ps) (step : ∀ (b : β) (rpref : List α) (x : α) (hx : x ∈ xs) (suff : List α) (h : xs = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f x hx b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }) | ForInStep.done b' => inv.fst (b', { rpref := xs.reverse, suff := [], property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs, property := ⋯ })⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst (b, { rpref := xs.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.forIn'_list_const_inv {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} {inv : PostCond β ps} (step : ∀ (x : α) (hx : x ∈ xs) (b : β), ⦃inv.fst b⦄ f x hx b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst b' | ForInStep.done b' => inv.fst b', inv.snd)⦄) : ⦃inv.fst init⦄ forIn' xs init f ⦃inv⦄

theorem Std.Do.Spec.forIn_list {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : α → β → m (ForInStep β)} (inv : PostCond (β × List.Zipper xs) ps) (step : ∀ (b : β) (rpref : List α) (x : α) (suff : List α) (h : xs = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f x b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }) | ForInStep.done b' => inv.fst (b', { rpref := xs.reverse, suff := [], property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs, property := ⋯ })⦄ forIn xs init f ⦃(fun (b : β) => inv.fst (b, { rpref := xs.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.forIn_list_const_inv {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : α → β → m (ForInStep β)} {inv : PostCond β ps} (step : ∀ (hd : α) (b : β), ⦃inv.fst b⦄ f hd b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst b' | ForInStep.done b' => inv.fst b', inv.snd)⦄) : ⦃inv.fst init⦄ forIn xs init f ⦃inv⦄

theorem Std.Do.Spec.foldlM_list {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : β → α → m β} (inv : PostCond (β × List.Zipper xs) ps) (step : ∀ (b : β) (rpref : List α) (x : α) (suff : List α) (h : xs = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f b x ⦃(fun (b' : β) => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs, property := ⋯ })⦄ List.foldlM f init xs ⦃(fun (b : β) => inv.fst (b, { rpref := xs.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.foldlM_list_const_inv {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : List α} {init : β} {f : β → α → m β} {inv : PostCond β ps} (step : ∀ (hd : α) (b : β), ⦃inv.fst b⦄ f b hd ⦃(fun (b' : β) => inv.fst b', inv.snd)⦄) : ⦃inv.fst init⦄ List.foldlM f init xs ⦃inv⦄

theorem Std.Do.Spec.forIn'_range {β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Range} {init : β} {f : (a : Nat) → a ∈ xs → β → m (ForInStep β)} (inv : PostCond (β × List.Zipper xs.toList) ps) (step : ∀ (b : β) (rpref : List Nat) (x : Nat) (hx : x ∈ xs) (suff : List Nat) (h : xs.toList = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f x hx b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }) | ForInStep.done b' => inv.fst (b', { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs.toList, property := ⋯ })⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst (b, { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.forIn_range {β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Range} {init : β} {f : Nat → β → m (ForInStep β)} (inv : PostCond (β × List.Zipper xs.toList) ps) (step : ∀ (b : β) (rpref : List Nat) (x : Nat) (suff : List Nat) (h : xs.toList = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f x b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }) | ForInStep.done b' => inv.fst (b', { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs.toList, property := ⋯ })⦄ forIn xs init f ⦃(fun (b : β) => inv.fst (b, { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.forIn'_array {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Array α} {init : β} {f : (a : α) → a ∈ xs → β → m (ForInStep β)} (inv : PostCond (β × List.Zipper xs.toList) ps) (step : ∀ (b : β) (rpref : List α) (x : α) (hx : x ∈ xs) (suff : List α) (h : xs.toList = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f x hx b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }) | ForInStep.done b' => inv.fst (b', { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs.toList, property := ⋯ })⦄ forIn' xs init f ⦃(fun (b : β) => inv.fst (b, { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.forIn_array {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Array α} {init : β} {f : α → β → m (ForInStep β)} (inv : PostCond (β × List.Zipper xs.toList) ps) (step : ∀ (b : β) (rpref : List α) (x : α) (suff : List α) (h : xs.toList = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f x b ⦃(fun (r : ForInStep β) => match r with | ForInStep.yield b' => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }) | ForInStep.done b' => inv.fst (b', { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs.toList, property := ⋯ })⦄ forIn xs init f ⦃(fun (b : β) => inv.fst (b, { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄

theorem Std.Do.Spec.foldlM_array {α β : Type} {m : Type → Type v} {ps : PostShape} [Monad m] [WPMonad m ps] {xs : Array α} {init : β} {f : β → α → m β} (inv : PostCond (β × List.Zipper xs.toList) ps) (step : ∀ (b : β) (rpref : List α) (x : α) (suff : List α) (h : xs.toList = rpref.reverse ++ x :: suff), ⦃inv.fst (b, { rpref := rpref, suff := x :: suff, property := ⋯ })⦄ f b x ⦃(fun (b' : β) => inv.fst (b', { rpref := x :: rpref, suff := suff, property := ⋯ }), inv.snd)⦄) : ⦃inv.fst (init, { rpref := [], suff := xs.toList, property := ⋯ })⦄ Array.foldlM f init xs ⦃(fun (b : β) => inv.fst (b, { rpref := xs.toList.reverse, suff := [], property := ⋯ }), inv.snd)⦄