111
|
1 ------------------------------------------------------------------------------
|
|
2 -- --
|
|
3 -- GNAT LIBRARY COMPONENTS --
|
|
4 -- --
|
|
5 -- ADA.CONTAINERS.FUNCTIONAL_MAPS --
|
|
6 -- --
|
|
7 -- S p e c --
|
|
8 -- --
|
145
|
9 -- Copyright (C) 2016-2019, Free Software Foundation, Inc. --
|
111
|
10 -- --
|
|
11 -- This specification is derived from the Ada Reference Manual for use with --
|
|
12 -- GNAT. The copyright notice above, and the license provisions that follow --
|
|
13 -- apply solely to the contents of the part following the private keyword. --
|
|
14 -- --
|
|
15 -- GNAT is free software; you can redistribute it and/or modify it under --
|
|
16 -- terms of the GNU General Public License as published by the Free Soft- --
|
|
17 -- ware Foundation; either version 3, or (at your option) any later ver- --
|
|
18 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
|
|
19 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
|
|
20 -- or FITNESS FOR A PARTICULAR PURPOSE. --
|
|
21 -- --
|
|
22 -- As a special exception under Section 7 of GPL version 3, you are granted --
|
|
23 -- additional permissions described in the GCC Runtime Library Exception, --
|
|
24 -- version 3.1, as published by the Free Software Foundation. --
|
|
25 -- --
|
|
26 -- You should have received a copy of the GNU General Public License and --
|
|
27 -- a copy of the GCC Runtime Library Exception along with this program; --
|
|
28 -- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see --
|
|
29 -- <http://www.gnu.org/licenses/>. --
|
|
30 ------------------------------------------------------------------------------
|
|
31
|
|
32 pragma Ada_2012;
|
|
33 private with Ada.Containers.Functional_Base;
|
|
34
|
|
35 generic
|
|
36 type Key_Type (<>) is private;
|
|
37 type Element_Type (<>) is private;
|
|
38
|
|
39 with function Equivalent_Keys
|
|
40 (Left : Key_Type;
|
|
41 Right : Key_Type) return Boolean is "=";
|
145
|
42 with function "=" (Left, Right : Element_Type) return Boolean is <>;
|
111
|
43
|
|
44 Enable_Handling_Of_Equivalence : Boolean := True;
|
|
45 -- This constant should only be set to False when no particular handling
|
|
46 -- of equivalence over keys is needed, that is, Equivalent_Keys defines a
|
|
47 -- key uniquely.
|
|
48
|
|
49 package Ada.Containers.Functional_Maps with SPARK_Mode is
|
|
50
|
|
51 type Map is private with
|
|
52 Default_Initial_Condition => Is_Empty (Map) and Length (Map) = 0,
|
|
53 Iterable => (First => Iter_First,
|
|
54 Next => Iter_Next,
|
|
55 Has_Element => Iter_Has_Element,
|
|
56 Element => Iter_Element);
|
|
57 -- Maps are empty when default initialized.
|
|
58 -- "For in" quantification over maps should not be used.
|
|
59 -- "For of" quantification over maps iterates over keys.
|
|
60 -- Note that, for proof, "for of" quantification is understood modulo
|
|
61 -- equivalence (the range of quantification comprises all the keys that are
|
|
62 -- equivalent to any key of the map).
|
|
63
|
|
64 -----------------------
|
|
65 -- Basic operations --
|
|
66 -----------------------
|
|
67
|
|
68 -- Maps are axiomatized using Has_Key and Get, encoding respectively the
|
|
69 -- presence of a key in a map and an accessor to elements associated with
|
|
70 -- its keys. The length of a map is also added to protect Add against
|
|
71 -- overflows but it is not actually modeled.
|
|
72
|
|
73 function Has_Key (Container : Map; Key : Key_Type) return Boolean with
|
|
74 -- Return True if Key is present in Container
|
|
75
|
|
76 Global => null,
|
|
77 Post =>
|
|
78 (if Enable_Handling_Of_Equivalence then
|
|
79
|
|
80 -- Has_Key returns the same result on all equivalent keys
|
|
81
|
|
82 (if (for some K of Container => Equivalent_Keys (K, Key)) then
|
|
83 Has_Key'Result));
|
|
84
|
|
85 function Get (Container : Map; Key : Key_Type) return Element_Type with
|
|
86 -- Return the element associated with Key in Container
|
|
87
|
|
88 Global => null,
|
|
89 Pre => Has_Key (Container, Key),
|
|
90 Post =>
|
|
91 (if Enable_Handling_Of_Equivalence then
|
|
92
|
|
93 -- Get returns the same result on all equivalent keys
|
|
94
|
|
95 Get'Result = W_Get (Container, Witness (Container, Key))
|
|
96 and (for all K of Container =>
|
|
97 (Equivalent_Keys (K, Key) =
|
|
98 (Witness (Container, Key) = Witness (Container, K)))));
|
|
99
|
|
100 function Length (Container : Map) return Count_Type with
|
|
101 Global => null;
|
|
102 -- Return the number of mappings in Container
|
|
103
|
|
104 ------------------------
|
|
105 -- Property Functions --
|
|
106 ------------------------
|
|
107
|
|
108 function "<=" (Left : Map; Right : Map) return Boolean with
|
|
109 -- Map inclusion
|
|
110
|
|
111 Global => null,
|
|
112 Post =>
|
|
113 "<="'Result =
|
|
114 (for all Key of Left =>
|
|
115 Has_Key (Right, Key) and then Get (Right, Key) = Get (Left, Key));
|
|
116
|
|
117 function "=" (Left : Map; Right : Map) return Boolean with
|
|
118 -- Extensional equality over maps
|
|
119
|
|
120 Global => null,
|
|
121 Post =>
|
|
122 "="'Result =
|
|
123 ((for all Key of Left =>
|
|
124 Has_Key (Right, Key)
|
|
125 and then Get (Right, Key) = Get (Left, Key))
|
|
126 and (for all Key of Right => Has_Key (Left, Key)));
|
|
127
|
|
128 pragma Warnings (Off, "unused variable ""Key""");
|
|
129 function Is_Empty (Container : Map) return Boolean with
|
|
130 -- A map is empty if it contains no key
|
|
131
|
|
132 Global => null,
|
|
133 Post => Is_Empty'Result = (for all Key of Container => False);
|
|
134 pragma Warnings (On, "unused variable ""Key""");
|
|
135
|
|
136 function Keys_Included (Left : Map; Right : Map) return Boolean
|
|
137 -- Returns True if every Key of Left is in Right
|
|
138
|
|
139 with
|
|
140 Global => null,
|
|
141 Post =>
|
|
142 Keys_Included'Result = (for all Key of Left => Has_Key (Right, Key));
|
|
143
|
|
144 function Same_Keys (Left : Map; Right : Map) return Boolean
|
|
145 -- Returns True if Left and Right have the same keys
|
|
146
|
|
147 with
|
|
148 Global => null,
|
|
149 Post =>
|
|
150 Same_Keys'Result =
|
|
151 (Keys_Included (Left, Right)
|
|
152 and Keys_Included (Left => Right, Right => Left));
|
|
153 pragma Annotate (GNATprove, Inline_For_Proof, Same_Keys);
|
|
154
|
|
155 function Keys_Included_Except
|
|
156 (Left : Map;
|
|
157 Right : Map;
|
|
158 New_Key : Key_Type) return Boolean
|
|
159 -- Returns True if Left contains only keys of Right and possibly New_Key
|
|
160
|
|
161 with
|
|
162 Global => null,
|
|
163 Post =>
|
|
164 Keys_Included_Except'Result =
|
|
165 (for all Key of Left =>
|
|
166 (if not Equivalent_Keys (Key, New_Key) then
|
|
167 Has_Key (Right, Key)));
|
|
168
|
|
169 function Keys_Included_Except
|
|
170 (Left : Map;
|
|
171 Right : Map;
|
|
172 X : Key_Type;
|
|
173 Y : Key_Type) return Boolean
|
|
174 -- Returns True if Left contains only keys of Right and possibly X and Y
|
|
175
|
|
176 with
|
|
177 Global => null,
|
|
178 Post =>
|
|
179 Keys_Included_Except'Result =
|
|
180 (for all Key of Left =>
|
|
181 (if not Equivalent_Keys (Key, X)
|
|
182 and not Equivalent_Keys (Key, Y)
|
|
183 then
|
|
184 Has_Key (Right, Key)));
|
|
185
|
|
186 function Elements_Equal_Except
|
|
187 (Left : Map;
|
|
188 Right : Map;
|
|
189 New_Key : Key_Type) return Boolean
|
|
190 -- Returns True if all the keys of Left are mapped to the same elements in
|
|
191 -- Left and Right except New_Key.
|
|
192
|
|
193 with
|
|
194 Global => null,
|
|
195 Post =>
|
|
196 Elements_Equal_Except'Result =
|
|
197 (for all Key of Left =>
|
|
198 (if not Equivalent_Keys (Key, New_Key) then
|
|
199 Has_Key (Right, Key)
|
|
200 and then Get (Left, Key) = Get (Right, Key)));
|
|
201
|
|
202 function Elements_Equal_Except
|
|
203 (Left : Map;
|
|
204 Right : Map;
|
|
205 X : Key_Type;
|
|
206 Y : Key_Type) return Boolean
|
|
207 -- Returns True if all the keys of Left are mapped to the same elements in
|
|
208 -- Left and Right except X and Y.
|
|
209
|
|
210 with
|
|
211 Global => null,
|
|
212 Post =>
|
|
213 Elements_Equal_Except'Result =
|
|
214 (for all Key of Left =>
|
|
215 (if not Equivalent_Keys (Key, X)
|
|
216 and not Equivalent_Keys (Key, Y)
|
|
217 then
|
|
218 Has_Key (Right, Key)
|
|
219 and then Get (Left, Key) = Get (Right, Key)));
|
|
220
|
|
221 ----------------------------
|
|
222 -- Construction Functions --
|
|
223 ----------------------------
|
|
224
|
|
225 -- For better efficiency of both proofs and execution, avoid using
|
|
226 -- construction functions in annotations and rather use property functions.
|
|
227
|
|
228 function Add
|
|
229 (Container : Map;
|
|
230 New_Key : Key_Type;
|
|
231 New_Item : Element_Type) return Map
|
|
232 -- Returns Container augmented with the mapping Key -> New_Item
|
|
233
|
|
234 with
|
|
235 Global => null,
|
|
236 Pre =>
|
|
237 not Has_Key (Container, New_Key)
|
|
238 and Length (Container) < Count_Type'Last,
|
|
239 Post =>
|
|
240 Length (Container) + 1 = Length (Add'Result)
|
|
241 and Has_Key (Add'Result, New_Key)
|
|
242 and Get (Add'Result, New_Key) = New_Item
|
|
243 and Container <= Add'Result
|
|
244 and Keys_Included_Except (Add'Result, Container, New_Key);
|
|
245
|
145
|
246 function Remove
|
|
247 (Container : Map;
|
|
248 Key : Key_Type) return Map
|
|
249 -- Returns Container without any mapping for Key
|
|
250
|
|
251 with
|
|
252 Global => null,
|
|
253 Pre => Has_Key (Container, Key),
|
|
254 Post =>
|
|
255 Length (Container) = Length (Remove'Result) + 1
|
|
256 and not Has_Key (Remove'Result, Key)
|
|
257 and Remove'Result <= Container
|
|
258 and Keys_Included_Except (Container, Remove'Result, Key);
|
|
259
|
111
|
260 function Set
|
|
261 (Container : Map;
|
|
262 Key : Key_Type;
|
|
263 New_Item : Element_Type) return Map
|
|
264 -- Returns Container, where the element associated with Key has been
|
|
265 -- replaced by New_Item.
|
|
266
|
|
267 with
|
|
268 Global => null,
|
|
269 Pre => Has_Key (Container, Key),
|
|
270 Post =>
|
|
271 Length (Container) = Length (Set'Result)
|
|
272 and Get (Set'Result, Key) = New_Item
|
|
273 and Same_Keys (Container, Set'Result)
|
|
274 and Elements_Equal_Except (Container, Set'Result, Key);
|
|
275
|
|
276 ------------------------------
|
|
277 -- Handling of Equivalence --
|
|
278 ------------------------------
|
|
279
|
|
280 -- These functions are used to specify that Get returns the same value on
|
|
281 -- equivalent keys. They should not be used directly in user code.
|
|
282
|
|
283 function Has_Witness (Container : Map; Witness : Count_Type) return Boolean
|
|
284 with
|
|
285 Ghost,
|
|
286 Global => null;
|
|
287 -- Returns True if there is a key with witness Witness in Container
|
|
288
|
|
289 function Witness (Container : Map; Key : Key_Type) return Count_Type with
|
|
290 -- Returns the witness of Key in Container
|
|
291
|
|
292 Ghost,
|
|
293 Global => null,
|
|
294 Pre => Has_Key (Container, Key),
|
|
295 Post => Has_Witness (Container, Witness'Result);
|
|
296
|
|
297 function W_Get (Container : Map; Witness : Count_Type) return Element_Type
|
|
298 with
|
|
299 -- Returns the element associated with a witness in Container
|
|
300
|
|
301 Ghost,
|
|
302 Global => null,
|
|
303 Pre => Has_Witness (Container, Witness);
|
|
304
|
|
305 ---------------------------
|
|
306 -- Iteration Primitives --
|
|
307 ---------------------------
|
|
308
|
|
309 type Private_Key is private;
|
|
310
|
|
311 function Iter_First (Container : Map) return Private_Key with
|
|
312 Global => null;
|
|
313
|
|
314 function Iter_Has_Element
|
|
315 (Container : Map;
|
|
316 Key : Private_Key) return Boolean
|
|
317 with
|
|
318 Global => null;
|
|
319
|
|
320 function Iter_Next (Container : Map; Key : Private_Key) return Private_Key
|
|
321 with
|
|
322 Global => null,
|
|
323 Pre => Iter_Has_Element (Container, Key);
|
|
324
|
|
325 function Iter_Element (Container : Map; Key : Private_Key) return Key_Type
|
|
326 with
|
|
327 Global => null,
|
|
328 Pre => Iter_Has_Element (Container, Key);
|
|
329 pragma Annotate (GNATprove, Iterable_For_Proof, "Contains", Has_Key);
|
|
330
|
|
331 private
|
|
332
|
|
333 pragma SPARK_Mode (Off);
|
|
334
|
|
335 function "="
|
|
336 (Left : Key_Type;
|
|
337 Right : Key_Type) return Boolean renames Equivalent_Keys;
|
|
338
|
|
339 subtype Positive_Count_Type is Count_Type range 1 .. Count_Type'Last;
|
|
340
|
|
341 package Element_Containers is new Ada.Containers.Functional_Base
|
|
342 (Element_Type => Element_Type,
|
|
343 Index_Type => Positive_Count_Type);
|
|
344
|
|
345 package Key_Containers is new Ada.Containers.Functional_Base
|
|
346 (Element_Type => Key_Type,
|
|
347 Index_Type => Positive_Count_Type);
|
|
348
|
|
349 type Map is record
|
|
350 Keys : Key_Containers.Container;
|
|
351 Elements : Element_Containers.Container;
|
|
352 end record;
|
|
353
|
|
354 type Private_Key is new Count_Type;
|
|
355
|
|
356 function Iter_First (Container : Map) return Private_Key is (1);
|
|
357
|
|
358 function Iter_Has_Element
|
|
359 (Container : Map;
|
|
360 Key : Private_Key) return Boolean
|
|
361 is
|
|
362 (Count_Type (Key) in 1 .. Key_Containers.Length (Container.Keys));
|
|
363
|
|
364 function Iter_Next
|
|
365 (Container : Map;
|
|
366 Key : Private_Key) return Private_Key
|
|
367 is
|
|
368 (if Key = Private_Key'Last then 0 else Key + 1);
|
|
369
|
|
370 function Iter_Element
|
|
371 (Container : Map;
|
|
372 Key : Private_Key) return Key_Type
|
|
373 is
|
|
374 (Key_Containers.Get (Container.Keys, Count_Type (Key)));
|
|
375
|
|
376 end Ada.Containers.Functional_Maps;
|