chore(dafny): add new SearchAndReplaceWhole and friends (#1680)

ajewellamz · web-flow · commit 74e98c10184c · 2025-08-13T18:44:24.000-04:00
diff --git a/StandardLibrary/src/String.dfy b/StandardLibrary/src/String.dfy
@@ -8,7 +8,9 @@ module StandardLibrary.String {
   import opened UInt
   import opened Sequence
   import opened MemoryMath
-  export provides Int2String, Base10Int2String, HasSubString, Wrappers, UInt, HasSubStringPos, SearchAndReplace, SearchAndReplacePos, SearchAndReplaceAll
+  export provides Int2String, Base10Int2String, HasSubString, Wrappers, UInt,
+                  HasSubStringPos, SearchAndReplace, SearchAndReplacePos, SearchAndReplaceAll,
+                  SearchAndReplacePosWhole, SearchAndReplaceAllWhole, AlphaNumeric, AlphaNumericUnder
 
   const Base10: seq<char> := ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
 
@@ -61,18 +63,8 @@ module StandardLibrary.String {
     returns (o : seq<T>)
     requires 0 < |old_str|
   {
-    var old_pos := HasSubString(source, old_str);
-    if old_pos.None? {
-      return source;
-    } else {
-      SequenceIsSafeBecauseItIsInMemory(source);
-      SequenceIsSafeBecauseItIsInMemory(old_str);
-      ValueIsSafeBecauseItIsInMemory(old_pos.value);
-      var pos : uint64 := old_pos.value as uint64;
-      var source_len : uint64 := |source| as uint64;
-      var old_str_len : uint64 := |old_str| as uint64;
-      return source[..pos] + new_str + source[pos+old_str_len..];
-    }
+    var x := SearchAndReplacePos(source, old_str, new_str, 0);
+    return x.0;
   }
 
   // Replace first occurrence of old_str after pos in source with new_str and return the result.
@@ -101,6 +93,81 @@ module StandardLibrary.String {
     }
   }
 
+  predicate method BadStart<T(==)>(source : seq<T>, pos : uint64, chars : seq<T>)
+    requires pos as nat <= |source|
+  {
+    if pos == 0 then
+      false
+    else
+      source[pos-1] in chars
+  }
+
+  predicate method BadEnd<T(==)>(source : seq<T>, pos : uint64, match_len : uint64, chars : seq<T>) {
+    SequenceIsSafeBecauseItIsInMemory(source);
+    var source_len : uint64 := |source| as uint64;
+    if Add(pos, match_len) >= source_len then
+      false
+    else
+      source[pos+match_len] in chars
+
+  }
+  predicate method BadMatch<T(==)>(source : seq<T>, pos : uint64, match_len : uint64, chars : seq<T>)
+    requires pos as nat <= |source|
+  {
+    BadStart(source, pos, chars) || BadEnd(source, pos, match_len, chars)
+  }
+
+  const AlphaNumeric      : string := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+  const AlphaNumericUnder : string := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
+
+  // Replace first occurrence of old_str after pos in source with new_str and return the result.
+  // If old_str does not exist in source, the source is returned unchanged
+  // second value in output is None if old_str not found, otherwise it points just after the replaced value
+  // a match only counts if the character before or after is not in chars
+  method SearchAndReplacePosWhole<T(==)>(source: seq<T>, old_str: seq<T>, new_str: seq<T>, xpos : uint64, chars : seq<T>)
+    returns (o : (seq<T>, Option<uint64>))
+    requires xpos as nat <= |source|
+    requires 0 < |old_str|
+    ensures o.1.Some? ==> |o.0| - o.1.value as nat < |source| - xpos as nat
+    ensures o.1.Some? ==> o.1.value as nat <= |o.0|
+  {
+    SequenceIsSafeBecauseItIsInMemory(source);
+    SequenceIsSafeBecauseItIsInMemory(old_str);
+    var old_str_len : uint64 := |old_str| as uint64;
+    var pos : uint64 := xpos;
+
+    while pos < |source| as uint64 {
+      var old_pos := HasSubStringPos(source, old_str, pos);
+      if old_pos.None? {
+        return (source, None);
+      } else if BadMatch(source, old_pos.value, old_str_len, chars) {
+        pos := old_pos.value + 1;
+      } else {
+        SequenceIsSafeBecauseItIsInMemory(source);
+        SequenceIsSafeBecauseItIsInMemory(new_str);
+        var source_len : uint64 := |source| as uint64;
+        var new_str_len : uint64 := |new_str| as uint64;
+        o := (source[..old_pos.value] + new_str + source[old_pos.value+old_str_len..], Some(Add(old_pos.value, new_str_len)));
+        assert |o.0| - o.1.value as nat < |source| - pos as nat;
+        return o;
+      }
+    }
+    return (source, None); // not really needed, but Dafny is dumb
+  }
+
+  // Replace first occurrence of old_str after pos in source with new_str and return the result.
+  // If old_str does not exist in source, the source is returned unchanged
+  // second value in output is None if old_str not found, otherwise it points just after the replaced value
+  // a match only counts if the character before or after is not in chars
+  method SearchAndReplaceWhole<T(==)>(source: seq<T>, old_str: seq<T>, new_str: seq<T>, chars : seq<T>)
+    returns (o : (seq<T>, Option<uint64>))
+    requires 0 < |old_str|
+    ensures o.1.Some? ==> |o.0| - o.1.value as nat < |source| as nat
+    ensures o.1.Some? ==> o.1.value as nat <= |o.0|
+  {
+    o := SearchAndReplacePosWhole(source, old_str, new_str, 0, chars);
+  }
+
   // Replace all occurrences of old_str in source with new_str and return the result.
   // If old_str does not exist in source, the source is returned unchanged
   // safe to use if new_str contains old_str
@@ -125,6 +192,32 @@ module StandardLibrary.String {
     }
   }
 
+  // Replace all occurrences of old_str in source with new_str and return the result.
+  // If old_str does not exist in source, the source is returned unchanged
+  // safe to use if new_str contains old_str
+  // a match only counts if the character before or after is not in chars
+  method SearchAndReplaceAllWhole<T(==)>(source_in: seq<T>, old_str: seq<T>, new_str: seq<T>, chars : seq<T>)
+    returns (o : seq<T>)
+    requires 0 < |old_str|
+  {
+    var pos : uint64 := 0;
+    var source := source_in;
+    while true
+      invariant pos as nat <= |source|
+      decreases |source| - pos as nat
+    {
+      var res := SearchAndReplacePosWhole(source, old_str, new_str, pos, chars);
+      if res.1.None? {
+        SequenceIsSafeBecauseItIsInMemory(source);
+        pos := |source| as uint64; // unneeded, but Dafny is dumb
+        return res.0;
+      }
+      source := res.0;
+      pos := res.1.value;
+    }
+  }
+
+
   /* Returns the index of a substring or None, if the substring is not in the string */
   method HasSubString<T(==)>(haystack: seq<T>, needle: seq<T>)
     returns (o: Option<nat>)
diff --git a/StandardLibrary/test/TestString.dfy b/StandardLibrary/test/TestString.dfy
@@ -63,6 +63,27 @@ module TestStrings {
     expect actual == "rose_daisy is a rose_daisy is a rose_daisy";
   }
 
+  method {:test} TestSearchAndReplaceAllWholeEasy()
+  {
+    var actual := String.SearchAndReplaceAllWhole("Koda is a Dog.", "Koda", "Robbie", String.AlphaNumericUnder);
+    expect actual == "Robbie is a Dog.";
+    actual := String.SearchAndReplaceAllWhole("Koda is a Dog.", "Dog", "good boy", String.AlphaNumericUnder);
+    expect actual == "Koda is a good boy.";
+    actual := String.SearchAndReplaceAllWhole("Koda is a Dog.", "Dog.", "good boy!", String.AlphaNumericUnder);
+    expect actual == "Koda is a good boy!";
+    actual := String.SearchAndReplaceAllWhole("Koda is a Dog.", "Robbie", "good boy!", String.AlphaNumericUnder);
+    expect actual == "Koda is a Dog.";
+    actual := String.SearchAndReplaceAllWhole("Koda is a Dog.", "Koda", "Koda", String.AlphaNumericUnder);
+    expect actual == "Koda is a Dog.";
+
+    actual := String.SearchAndReplaceAllWhole("A rose is a rose is a rose.", "rose", "daisy", String.AlphaNumericUnder);
+    expect actual == "A daisy is a daisy is a daisy.";
+    actual := String.SearchAndReplaceAllWhole("rose is a rose is a rose", "rose", "daisy", String.AlphaNumericUnder);
+    expect actual == "daisy is a daisy is a daisy";
+    actual := String.SearchAndReplaceAllWhole("rose is a rose is a rose", "rose", "rose_daisy", String.AlphaNumericUnder);
+    expect actual == "rose_daisy is a rose_daisy is a rose_daisy";
+  }
+
   method {:test} TestHasSearchAndReplacePos()
   {
     var actual := String.SearchAndReplacePos("Koda is a Dog.", "Koda", "Robbie", 0);
@@ -91,6 +112,56 @@ module TestStrings {
     expect actual == ("Koda is a Dog.", Some(4));
   }
 
+  // in most cases SearchAndReplacePosWhole is just like SearchAndReplacePos
+  method {:test} TestHasSearchAndReplacePosWholeEasy()
+  {
+    var actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Koda", "Robbie", 0, String.AlphaNumericUnder);
+    expect actual == ("Robbie is a Dog.", Some(6));
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Koda", "Robbie", 1, String.AlphaNumericUnder);
+    expect actual == ("Koda is a Dog.", None);
+
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Dog", "good boy", 0, String.AlphaNumericUnder);
+    expect actual == ("Koda is a good boy.", Some(18));
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Dog", "good boy", 10, String.AlphaNumericUnder);
+    expect actual == ("Koda is a good boy.", Some(18));
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Dog", "good boy", 11, String.AlphaNumericUnder);
+    expect actual == ("Koda is a Dog.", None);
+
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Dog.", "good boy!", 0, String.AlphaNumericUnder);
+    expect actual == ("Koda is a good boy!", Some(19));
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Dog.", "good boy!", 10, String.AlphaNumericUnder);
+    expect actual == ("Koda is a good boy!", Some(19));
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Dog.", "good boy!", 11, String.AlphaNumericUnder);
+    expect actual == ("Koda is a Dog.", None);
+
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Robbie", "good boy!", 0, String.AlphaNumericUnder);
+    expect actual == ("Koda is a Dog.", None);
+    actual := String.SearchAndReplacePosWhole("Koda is a Dog.", "Koda", "Koda", 0, String.AlphaNumericUnder);
+    expect actual == ("Koda is a Dog.", Some(4));
+  }
+
+  // when forbid comes in to play
+  method {:test} TestHasSearchAndReplacePosWholeHard()
+  {
+    var actual := String.SearchAndReplacePosWhole("KodaisaDog", "Koda", "Robbie", 0, String.AlphaNumericUnder);
+    expect actual == ("KodaisaDog", None);
+    actual := String.SearchAndReplacePosWhole("KodaisaDog", "Dog", "Puppy", 1, String.AlphaNumericUnder);
+    expect actual == ("KodaisaDog", None);
+    actual := String.SearchAndReplacePosWhole("Koda*isaDog", "Koda", "Robbie", 0, String.AlphaNumericUnder);
+    expect actual == ("Robbie*isaDog", Some(6));
+    actual := String.SearchAndReplacePosWhole("Kodaisa.Dog", "Dog", "Puppy", 1, String.AlphaNumericUnder);
+    expect actual == ("Kodaisa.Puppy", Some(13));
+  }
+
+  // when forbid comes in to play
+  method {:test} TestHasSearchAndReplaceAllWholeHard()
+  {
+    var actual := String.SearchAndReplaceAllWhole("Koda1 Koda Koda2 Koda Koda3", "Koda", "Robbie", String.AlphaNumericUnder);
+    expect actual == "Koda1 Robbie Koda2 Robbie Koda3";
+    actual := String.SearchAndReplaceAllWhole("Koda Koda1 Koda Koda2 Koda Koda3 Koda", "Koda", "Robbie", String.AlphaNumericUnder);
+    expect actual == "Robbie Koda1 Robbie Koda2 Robbie Koda3 Robbie";
+  }
+
   method {:test} TestHasSubStringPositive()
   {
     var actual := String.HasSubString("Koda is a Dog.", "Koda");
