fixed some bag FAILED pos, and added concrete example with strings

leouk · leouk · commit d2bdb193caa4 · 2026-01-13T09:14:15.000Z
diff --git a/vdmlib/src/main/resources/Bag.vdmsl b/vdmlib/src/main/resources/Bag.vdmsl
@@ -70,11 +70,15 @@ functions
     --@QuickCheck @T = nat;
     subbageq[@T]: Bag * Bag -> bool
     subbageq(a, b) ==
-        forall xa in set dom a & amount[@T](a, a(xa)) <= amount[@T](b, b(xa))
+        forall xa in set dom a & inbag[@T](xa, b) and amount[@T](a, xa) <= amount[@T](b, xa)
     pre 
         type_convergent[@T](a) and type_convergent[@T](b)
     post 
-        bset[@T](a) subset bset[@T](b);
+        RESULT <=> 
+        (bset[@T](a) subset bset[@T](b) 
+         and 
+         forall x in set bset[@T](a) & amount[@T](a, x) <= amount[@T](b, x)
+        );
 
     --@doc ZEves scale definition is wrong! wrt to theorem bagscaleBy1 (!
     --@QuickCheck @T = nat;
@@ -87,28 +91,48 @@ functions
     pre 
         type_convergent[@T](b)
     post 
-        bset[@T](b) = bset[@T](RESULT)
-        and
-        type_convergent[@T](RESULT);
+        type_convergent[@T](RESULT)
+        and 
+        (bset[@T](RESULT) = if n = 0 then {} else bset[@T](b))
+        and 
+        (forall x in set bset[@T](b) & amount[@T](RESULT, x) = n * amount[@T](b, x));
 
     --@QuickCheck @T = nat;
     bunion[@T]: Bag * Bag -> Bag 
     bunion(a, b) == 
-        { x |-> a(x) + b(x) | x in set dom a union dom b }
+        --@doc unique of a + unique of b + common with summed amounts
+       (bset[@T](b) <-: a) 
+       munion 
+       (bset[@T](a) <-: b) 
+       munion 
+       { x |-> a(x) + b(x) | x in set dom a inter dom b }
     pre 
         type_convergent[@T](a) and type_convergent[@T](b)
     post 
-        bset[@T](RESULT) = bset[@T](a) union bset[@T](b);
+        bset[@T](RESULT) = bset[@T](a) union bset[@T](b)
+        and 
+        (forall x in set bset[@T](a) inter bset[@T](b) & amount[@T](RESULT, x) = amount[@T](a, x) + amount[@T](b, x))
+        and 
+        (forall x in set bset[@T](a) \ bset[@T](b) & amount[@T](RESULT, x) = amount[@T](a, x))
+        and 
+        (forall x in set bset[@T](b) \ bset[@T](a) & amount[@T](RESULT, x) = amount[@T](b, x));
 
     --@QuickCheck @T = nat;
     difference[@T]: Bag * Bag -> Bag 
     difference(a, b) == 
-        { x |-> a(x) - b(x) | x in set dom a union dom b /*inter dom b*/ & a(x) - b(x) > 0 }
+        --@doc unique of a with subtraction over common with b (or removal)
+        bset[@T](b) <-: a 
+        munion 
+        { x |-> a(x) - b(x) | x in set bset[@T](a) inter bset[@T](b) & a(x) > b(x) }
     pre 
         type_convergent[@T](a) and type_convergent[@T](b)
     post 
-        --@doc not equal because when zeroed it goes out of the domain
-        bset[@T](RESULT) subset bset[@T](a) \ bset[@T](b);
+        --@doc resulting bag has elements of a with elements of b subtracted (or removed) 
+        (forall x in set bset[@T](RESULT) & 
+            amount[@T](RESULT, x) = max(0, amount[@T](a, x) - amount[@T](b, x)));
+
+    max: int * int -> int
+    max(a, b) == if a >= b then a else b;
 
     --@QuickCheck @T = nat;
     filter[@T]: seq of @T * (@T -> bool) -> seq of @T 
diff --git a/vdmlib/src/main/resources/StrBag.vdmsl b/vdmlib/src/main/resources/StrBag.vdmsl
@@ -0,0 +1,127 @@
+------------------------------------------------------------------------------------
+--@header 
+--@doc Copyright Leo Freitas 2019-2023 
+--@doc Bag as an abstract data type (inspired by SPARK ADTs and Z/Eves bags)
+------------------------------------------------------------------------------------
+module StrBag 
+exports 
+    types 
+        Bag;
+        struct String;
+    functions 
+        empty: () -> Bag;  
+        isEmpty: Bag -> bool;  
+        bset: Bag -> set of String;
+        inbag: String * Bag -> bool;
+        count: Bag -> (String -> nat);
+        amount: Bag * String -> nat;
+        post_amount: Bag * String * nat +> bool;
+        subbageq: Bag * Bag -> bool;
+        scale: nat * Bag -> Bag;
+        bunion: Bag * Bag -> Bag;
+        post_bunion: Bag * Bag * Bag +> bool;
+        difference: Bag * Bag -> Bag;
+        post_difference: Bag * Bag * Bag +> bool;
+        items: seq of String -> Bag;
+definitions
+types 
+    String = seq1 of char; 
+    Bag = map String to nat1;
+
+functions 
+    empty: () -> Bag
+    empty() == {|->};
+
+    isEmpty: Bag -> bool 
+    isEmpty(b) == b = empty()
+    post 
+        RESULT <=> b = empty();
+
+    bset: Bag -> set of String
+    bset(b) == dom b;
+
+    inbag: String * Bag -> bool    
+    inbag(x, b) == x in set bset(b)
+    post 
+        RESULT <=> x in set bset(b);
+
+    count: Bag -> (String -> nat)
+    count(b) == (lambda x: String & amount(b, x));
+
+    amount: Bag * String -> nat 
+    amount(b, x) == 
+        if inbag(x, b) then b(x) else 0
+    post 
+        (inbag(x, b) <=> is_nat1(RESULT));
+
+    --@QuickCheck String = nat;
+    subbageq: Bag * Bag -> bool
+    subbageq(a, b) ==
+        forall xa in set dom a & inbag(xa, b) and amount(a, xa) <= amount(b, xa)
+    post 
+        RESULT <=> 
+        (bset(a) subset bset(b) 
+         and 
+         forall x in set bset(a) & amount(a, x) <= amount(b, x)
+        );
+
+    --@doc ZEves scale definition is wrong! wrt to theorem bagscaleBy1 (!
+    --@QuickCheck String = nat;
+    scale: nat * Bag -> Bag 
+    scale(n, b) == 
+        if n = 0 then 
+            empty() 
+        else  
+            { x |-> n * b(x) | x in set dom b }
+    post 
+        bset(RESULT) = (if n = 0 then {} else bset(b))
+        and 
+        (forall x in set bset(b) & amount(RESULT, x) = n * amount(b, x));
+
+    --@QuickCheck String = nat;
+    bunion: Bag * Bag -> Bag 
+    bunion(a, b) == 
+        --@doc unique of a + unique of b + common with summed amounts
+       (bset(b) <-: a) 
+       munion 
+       (bset(a) <-: b) 
+       munion 
+       { x |-> a(x) + b(x) | x in set dom a inter dom b }
+    post 
+        bset(RESULT) = bset(a) union bset(b)
+        and 
+        (forall x in set bset(a) inter bset(b) & amount(RESULT, x) = amount(a, x) + amount(b, x))
+        and 
+        (forall x in set bset(a) \ bset(b) & amount(RESULT, x) = amount(a, x))
+        and 
+        (forall x in set bset(b) \ bset(a) & amount(RESULT, x) = amount(b, x));
+
+    --@QuickCheck String = nat;
+    difference: Bag * Bag -> Bag 
+    difference(a, b) == 
+        --@doc unique of a with subtraction over common with b (or removal)
+        bset(b) <-: a 
+        munion 
+        { x |-> a(x) - b(x) | x in set bset(a) inter bset(b) & a(x) > b(x) }
+    post 
+        --@doc resulting bag has elements of a with elements of b subtracted (or removed) 
+        (forall x in set bset(RESULT) & 
+            amount(RESULT, x) = max(0, amount(a, x) - amount(b, x)));
+
+    max: int * int -> int
+    max(a, b) == if a >= b then a else b;
+
+    --@QuickCheck String = nat;
+    filter: seq of String * (String -> bool) -> seq of String 
+    filter(s, f) == [ s(i) | i in set inds s & f(s(i)) ]
+    post 
+        RESULT <> [] <=> (forall x in set elems RESULT & f(x)); 
+        -- RESULT <> [] <=> elems RESULT = {x};
+
+    --@QuickCheck String = nat;
+    items: seq of String -> Bag 
+    items(s) == { s(i) |-> len filter(s, (lambda x: String & s(i) = x)) | i in set inds s }
+    post 
+        elems s = bset(RESULT);
+
+end StrBag
