|
|
|---|
|
|
|
|---|
(difference x y) removes all members of
The logical definition is very simple, and the essential
correctness property is given by
The execution uses a better, O(n) algorithm to remove the elements by exploiting the set order.
Function:
(defun difference (x y) (declare (xargs :guard (and (setp x) (setp y)))) (mbe :logic (cond ((empty x) (sfix x)) ((in (head x) y) (difference (tail x) y)) (t (insert (head x) (difference (tail x) y)))) :exec (fast-difference x y nil)))
Theorem:
(defthm difference-set (setp (difference x y)))
Theorem:
(defthm difference-sfix-x (equal (difference (sfix x) y) (difference x y)))
Theorem:
(defthm difference-sfix-y (equal (difference x (sfix y)) (difference x y)))
Theorem:
(defthm difference-empty-x (implies (empty x) (equal (difference x y) (sfix x))))
Theorem:
(defthm difference-empty-y (implies (empty y) (equal (difference x y) (sfix x))))
Theorem:
(defthm difference-in (equal (in a (difference x y)) (and (in a x) (not (in a y)))))
Theorem:
(defthm difference-subset-x (subset (difference x y) x))
Theorem:
(defthm subset-difference (equal (empty (difference x y)) (subset x y)))
Theorem:
(defthm difference-insert-x (equal (difference (insert a x) y) (if (in a y) (difference x y) (insert a (difference x y)))))
Theorem:
(defthm difference-preserves-subset (implies (subset x y) (subset (difference x z) (difference y z))))