Mergesort correctness proof in dafny

1.  
2. method MergeSort(a1:array<int>) returns (a:array<int>)
3. requires a1 != null && a1.Length > 0;
4. ensures a != null;
5. ensures forall k:: forall l:: 0 <= k < l < a.Length ==> a[k] <= a[l];
6. {
7. a := ms(a1, 0, a1.Length-1);
8. return;
9. }
10.  
11. method ms(a1:array<int>, l:int, u:int) returns (a:array<int>)
12. requires a1 != null && a1.Length > 0
13. requires 0 <= l <= u < a1.Length
14. ensures a != null && a.Length == a1.Length
15. ensures forall x:: forall y:: l <= x < y <= u ==> a[x] <= a[y];
16. decreases u-l;
17. {
18. a := new int[a1.Length];
19. assume forall k:: 0 <= k < a1.Length ==> a[k] == a1[k];
20. if (l >= u)
21. {
22. return;
23. }
24. else
25. {
26. var m:int := (l + u) / 2;
27. a := ms(a, l, m);
28. a := ms(a, m+1, u);
29. a := merge(a, l, m, u);
30. return;
31. }
32. }
33.  
34. method merge(a1:array<int>, l:int, m:int, u:int) returns (a:array<int>)
35. requires a1 != null && a1.Length > 1
36. requires 0 <= l <= m < u < a1.Length
37. requires forall x, y:: l <= x < y <= m ==> a1[x] <= a1[y]
38. requires forall x, y:: m+1 <= x < y <= u ==> a1[x] <= a1[y]
39. ensures a != null && a.Length == a1.Length
40. ensures forall x,y:: l <= x < y <= u ==> a[x] <= a[y]
41. {
42. a := new int[a1.Length];
43. assume forall k:: 0 <= k < a1.Length ==> a[k] == a1[k];
44. var buf := new int[u-l+1];
45. var i:int := l;
46. var j:int := m + 1;
47. var k:int := 0;
48. assert(j == m+1);
49. assert(i == l);
50. while (k < u-l+1)
51. invariant 0 <= k <= u-l+1
52. invariant k == (i-l)+(j-m-1)
53. invariant 0 <= l <= m < u < a.Length
54. invariant m <= j-1 <= u
55. invariant l <= i <= m + 1
56. invariant forall x,y:: i <= x <= m && 0 <= y < k < u-l+1 ==> buf[y] <= a[x]
57. invariant forall x,y:: j <= x <= u && 0 <= y < k < u-l+1 ==> buf[y] <= a[x]
58. invariant forall x, y:: 0 <= x < y < k < u-l+1 ==> buf[x] <= buf[y]
59. {
60. if (i > m)
61. {
62. buf[k] := a[j];
63. j := j + 1;
64. }
65. else if (j > u)
66. {
67. buf[k] := a[i];
68. i := i + 1;
69. }
70. else if (a[i] <= a[j])
71. {
72. buf[k] := a[i];
73. i := i + 1;
74. }
75. else
76. {
77. buf[k] := a[j];
78. j := j + 1;
79. }
80. k := k + 1;
81. }
82.  
83. k := 0;
84. while (k < u-l+1)
85. invariant 0 <= k <= u-l+1
86. invariant 0 <= l <= u < a.Length
87. {
88. a[l + k] := buf[k];
89. k := k + 1;
90. }
91. }