## A Sudoku solver

Auteurs: Claude Marché / Guillaume Melquiond

Catégories: Array Data Structure

Outils: Why3

see also the index (by topic, by tool, by reference, by year)

# An Efficient Sudoku Solver

Author: Claude MarchÃ© (Inria) Guillaume Melquiond (Inria)

## A theory of 9x9 grids

```module Grid

use int.Int
use map.Map

type grid = map int int
```

A grid is a map from integers to integers

```  predicate is_index (i:int) = 0 <= i < 81
```

valid indexes are 0..80

```  predicate valid_values (g:grid) =
forall i. is_index i -> 0 <= g[i] <= 9
```

valid values are 0..9. 0 denotes an empty cell

```  predicate grid_eq_sub (g1 g2:grid) (a b:int) =
forall j. a <= j < b -> g1[j] = g2[j]
```

extensional equality of grids and sub-grids

```  predicate grid_eq (g1 g2:grid) = grid_eq_sub g1 g2 0 81

lemma grid_eq_sub:
forall g1 g2 a b. 0 <= a <= 81 /\ 0 <= b <= 81 /\
grid_eq g1 g2 -> grid_eq_sub g1 g2 a b

```

### Grid "Chunks"

A chunk is either a column, a row or a square.

A chunk is defined by a starting index s and a set of 9 offsets {o0,..,o8}, that thus denotes a set of 9 cells {s+o0,..,s+o8} in a grid.

Each cell of the grid belongs to 3 chunks, one of each kind. For each cell index, there is a unique starting index respectively for the column, the row and the square it belongs to.

```  use array.Array

type sudoku_chunks =
{ column_start : array int;
column_offsets : array int;
row_start : array int;
row_offsets : array int;
square_start : array int;
square_offsets : array int;
}

predicate chunk_valid_indexes (start:array int) (offsets:array int) =
start.length = 81 /\ offsets.length = 9 /\
forall i o:int. is_index i /\ 0 <= o < 9 ->
is_index(start[i] + offsets[o])
```

Chunks must point to valid indexes of the grid

```  predicate disjoint_chunks (start:array int) (offsets:array int) =
start.length = 81 /\ offsets.length = 9 /\
forall i1 i2 o:int.
is_index i1 /\ is_index i2 /\ 0 <= o < 9 ->
let s1 = start[i1] in
let s2 = start[i2] in
s1 <> s2 -> i1 <> s2 + offsets[o]
```

Chunks (of the same kind column, row or square) with distinct starting cells must be disjoint

```  predicate well_formed_sudoku (s:sudoku_chunks) =
chunk_valid_indexes s.column_start s.column_offsets /\
chunk_valid_indexes s.row_start s.row_offsets /\
chunk_valid_indexes s.square_start s.square_offsets /\
disjoint_chunks s.column_start s.column_offsets /\
disjoint_chunks s.row_start s.row_offsets /\
disjoint_chunks s.square_start s.square_offsets
```

A sudoku grid is well formed when chunks are valid and disjoint

### Valid Sudoku Solutions

`valid_chunk g i start offsets` is true whenever the chunk denoted by `start,offsets` from cell `i` is "valid" in grid `g`, in the sense that it contains at most one occurence of each number between 1 and 9

```  predicate valid_chunk (g:grid) (i:int)
(start:array int) (offsets:array int) =
let s = start[i] in
forall o1 o2 : int. 0 <= o1 < 9 /\ 0 <= o2 < 9 /\ o1 <> o2 ->
let i1 = s + offsets[o1] in
let i2 = s + offsets[o2] in
1 <= Map.get g i1 <= 9 /\ 1 <= Map.get g i2 <= 9 ->
Map.get g i1 <> Map.get g i2

predicate valid_column (s:sudoku_chunks) (g:grid) (i:int) =
valid_chunk g i s.column_start s.column_offsets

predicate valid_row (s:sudoku_chunks) (g:grid) (i:int) =
valid_chunk g i s.row_start s.row_offsets

predicate valid_square (s:sudoku_chunks) (g:grid) (i:int) =
valid_chunk g i s.square_start s.square_offsets

predicate valid (s:sudoku_chunks) (g : grid) =
forall i : int. is_index i ->
valid_column s g i /\ valid_row s g i /\ valid_square s g i
```

`valid g` is true when all chunks are valid

```  predicate full (g : grid) =
forall i : int. is_index i -> 1 <= Map.get g i <= 9
```

`full g` is true when all cells are filled

```  predicate included (g1 g2 : grid) =
forall i : int. is_index i /\ 1 <= Map.get g1 i <= 9 ->
Map.get g2 i = Map.get g1 i
```

`included g1 g2`

```  lemma subset_valid_chunk :
forall g h : grid. included g h ->
forall i:int, s o:array int. is_index i /\
chunk_valid_indexes s o /\ valid_chunk h i s o ->
valid_chunk g i s o
```

validity is monotonic w.r.t. inclusion

```  lemma subset_valid :
forall s g h.
well_formed_sudoku s /\ included g h /\ valid s h -> valid s g

predicate is_solution_for (s:sudoku_chunks) (sol:grid) (data:grid) =
included data sol /\ full sol /\ valid s sol
```

A solution of a grid `data` is a full grid `sol` that is valid and includes `data`

```end

module TheClassicalSudokuGrid
```

## Concrete Values of Chunks for the Classical Sudoku Grid

```  use Grid
use map.Map
use int.Int

use array.Array

let classical_sudoku () : sudoku_chunks
ensures { well_formed_sudoku result }
=
(* column start *)
let cs = Array.make 81 0 in
cs[ 0]<-0; cs[ 1]<-1; cs[ 2]<-2; cs[ 3]<-3; cs[ 4]<-4; cs[ 5]<-5;
cs[ 6]<-6; cs[ 7]<-7; cs[ 8]<-8; cs[ 9]<-0; cs[10]<-1; cs[11]<-2;
cs[12]<-3; cs[13]<-4; cs[14]<-5; cs[15]<-6; cs[16]<-7; cs[17]<-8;
cs[18]<-0; cs[19]<-1; cs[20]<-2; cs[21]<-3; cs[22]<-4; cs[23]<-5;
cs[24]<-6; cs[25]<-7; cs[26]<-8; cs[27]<-0; cs[28]<-1; cs[29]<-2;
cs[30]<-3; cs[31]<-4; cs[32]<-5; cs[33]<-6; cs[34]<-7; cs[35]<-8;
cs[36]<-0; cs[37]<-1; cs[38]<-2; cs[39]<-3; cs[40]<-4; cs[41]<-5;
cs[42]<-6; cs[43]<-7; cs[44]<-8; cs[45]<-0; cs[46]<-1; cs[47]<-2;
cs[48]<-3; cs[49]<-4; cs[50]<-5; cs[51]<-6; cs[52]<-7; cs[53]<-8;
cs[54]<-0; cs[55]<-1; cs[56]<-2; cs[57]<-3; cs[58]<-4; cs[59]<-5;
cs[60]<-6; cs[61]<-7; cs[62]<-8; cs[63]<-0; cs[64]<-1; cs[65]<-2;
cs[66]<-3; cs[67]<-4; cs[68]<-5; cs[69]<-6; cs[70]<-7; cs[71]<-8;
cs[72]<-0; cs[73]<-1; cs[74]<-2; cs[75]<-3; cs[76]<-4; cs[77]<-5;
cs[78]<-6; cs[79]<-7; cs[80]<-8;
(* column offset *)
let co = Array.make 9 0 in
co[ 0]<-0; co[ 1]<-9; co[ 2]<-18; co[ 3]<-27; co[ 4]<-36; co[
5]<-45; co[ 6]<-54; co[ 7]<-63; co[ 8]<-72;
(* row start *)
let rs = Array.make 81 0 in
rs[ 0]<- 0; rs[ 1]<- 0; rs[ 2]<- 0; rs[ 3]<- 0; rs[ 4]<-0; rs[5]<-0;
rs[ 6]<- 0; rs[ 7]<- 0; rs[ 8]<- 0; rs[ 9]<- 9; rs[10]<-9; rs[11]<-9;
rs[12]<- 9; rs[13]<- 9; rs[14]<- 9; rs[15]<- 9; rs[16]<-9; rs[17]<-9;
rs[18]<-18; rs[19]<-18; rs[20]<-18; rs[21]<-18; rs[22]<-18;
rs[23]<-18; rs[24]<-18; rs[25]<-18; rs[26]<-18; rs[27]<-27;
rs[28]<-27; rs[29]<-27; rs[30]<-27; rs[31]<-27; rs[32]<-27;
rs[33]<-27; rs[34]<-27; rs[35]<-27; rs[36]<-36; rs[37]<-36;
rs[38]<-36; rs[39]<-36; rs[40]<-36; rs[41]<-36; rs[42]<-36;
rs[43]<-36; rs[44]<-36; rs[45]<-45; rs[46]<-45; rs[47]<-45;
rs[48]<-45; rs[49]<-45; rs[50]<-45; rs[51]<-45; rs[52]<-45;
rs[53]<-45; rs[54]<-54; rs[55]<-54; rs[56]<-54; rs[57]<-54;
rs[58]<-54; rs[59]<-54; rs[60]<-54; rs[61]<-54; rs[62]<-54;
rs[63]<-63; rs[64]<-63; rs[65]<-63; rs[66]<-63; rs[67]<-63;
rs[68]<-63; rs[69]<-63; rs[70]<-63; rs[71]<-63; rs[72]<-72;
rs[73]<-72; rs[74]<-72; rs[75]<-72; rs[76]<-72; rs[77]<-72;
rs[78]<-72; rs[79]<-72; rs[80]<-72;
(* row offset *)
let ro = Array.make 9 0 in
ro[ 0]<-0; ro[ 1]<-1; ro[ 2]<-2; ro[ 3]<-3; ro[ 4]<-4; ro[ 5]<-5;
ro[ 6]<-6; ro[ 7]<-7; ro[ 8]<-8;
(* square start *)
let ss = Array.make 81 0 in
ss[ 0]<- 0; ss[ 1]<- 0; ss[ 2]<- 0; ss[ 3]<- 3; ss[ 4]<- 3;
ss[ 5]<- 3; ss[ 6]<- 6; ss[ 7]<- 6; ss[ 8]<- 6; ss[ 9]<- 0;
ss[10]<- 0; ss[11]<- 0; ss[12]<- 3; ss[13]<- 3; ss[14]<- 3; ss[15]<- 6;
ss[16]<- 6; ss[17]<- 6; ss[18]<- 0; ss[19]<- 0; ss[20]<- 0;
ss[21]<- 3; ss[22]<- 3; ss[23]<- 3; ss[24]<- 6; ss[25]<- 6;
ss[26]<- 6; ss[27]<-27; ss[28]<-27; ss[29]<-27; ss[30]<-30;
ss[31]<-30; ss[32]<-30; ss[33]<-33; ss[34]<-33; ss[35]<-33;
ss[36]<-27; ss[37]<-27; ss[38]<-27; ss[39]<-30; ss[40]<-30;
ss[41]<-30; ss[42]<-33; ss[43]<-33; ss[44]<-33; ss[45]<-27;
ss[46]<-27; ss[47]<-27; ss[48]<-30; ss[49]<-30; ss[50]<-30;
ss[51]<-33; ss[52]<-33; ss[53]<-33; ss[54]<-54; ss[55]<-54;
ss[56]<-54; ss[57]<-57; ss[58]<-57; ss[59]<-57; ss[60]<-60;
ss[61]<-60; ss[62]<-60; ss[63]<-54; ss[64]<-54; ss[65]<-54;
ss[66]<-57; ss[67]<-57; ss[68]<-57; ss[69]<-60; ss[70]<-60;
ss[71]<-60; ss[72]<-54; ss[73]<-54; ss[74]<-54; ss[75]<-57;
ss[76]<-57; ss[77]<-57; ss[78]<-60; ss[79]<-60; ss[80]<-60;
(* square offset *)
let sqo = Array.make 9 0 in
sqo[0]<-0; sqo[1]<-1; sqo[2]<-2; sqo[3]<-9; sqo[4]<-10;
sqo[5]<-11; sqo[6]<-18; sqo[7]<-19; sqo[8]<-20;
{ column_start = cs; column_offsets = co;
row_start    = rs; row_offsets    = ro;
square_start = ss; square_offsets = sqo; }

end

```

## A Sudoku Solver

```module Solver

use Grid
use array.Array
use int.Int

predicate valid_chunk_up_to (g:grid) (i:int)
(start:array int) (offsets:array int) (off:int) =
let s = start[i] in
forall o1 o2 : int.
0 <= o1 < off /\ 0 <= o2 < off /\ o1 <> o2 ->
let i1 = s + offsets[o1] in
let i2 = s + offsets[o2] in
1 <= Map.get g i1 <= 9 /\ 1 <= Map.get g i2 <= 9 ->
Map.get g i1 <> Map.get g i2
```

predicate for the loop invariant of next function

```  exception Invalid

use array.Array

let check_valid_chunk (g:array int) (i:int)
(start:array int) (offsets:array int) : unit
requires { g.length = 81 }
requires { valid_values g.elts }
requires { is_index i }
requires { chunk_valid_indexes start offsets }
ensures { valid_chunk g.elts i start offsets }
raises { Invalid -> not (valid_chunk g.elts i start offsets) }
=
let s = start[i] in
let b = Array.make 10 False in
for off = 0 to 8 do
invariant { valid_chunk_up_to g.elts i start offsets off }
invariant { forall o:int. 0 <= o < off ->
let v = g[s + offsets[o]] in
1 <= v <= 9 -> b[v] = True }
invariant { forall j:int. 1 <= j <= 9 ->
b[j] = True ->
exists o:int.
0 <= o < off /\ Map.get g.elts (s + offsets[o]) = j }
let v = g[s + offsets[off]] in
if 1 <= v && v <= 9 then
begin
if b[v] then raise Invalid;
b[v] <- True
end
done
```

`check_valid_chunk g i start offsets` checks the validity of the chunk that includes `i`

```  predicate valid_up_to (s:sudoku_chunks) (g:grid) (i:int) =
forall j : int. 0 <= j < i ->
valid_column s g j /\ valid_row s g j /\ valid_square s g j
```

predicate for the loop invariant of next function

```  let check_valid (s:sudoku_chunks) (g : array int) : bool
requires { well_formed_sudoku s }
requires { g.length = 81 }
requires { valid_values g.elts }
ensures { result <-> valid s g.elts }
=
try
for i = 0 to 80 do
invariant { valid_up_to s g.elts i }
check_valid_chunk g i s.column_start s.column_offsets;
check_valid_chunk g i s.row_start s.row_offsets;
check_valid_chunk g i s.square_start s.square_offsets
done;
True
with Invalid -> False
end
```

`check_valid s g` checks if the (possibly partially filled) grid `g` is valid. (This function is not needed by the solver)

```  predicate full_up_to (g : grid) (i : int) = forall j :
int. 0 <= j < i -> 1 <= Map.get g j <= 9
```

`full_up_to g i` is true when all cells `0..i-1` in grid `g` are non empty

```  lemma full_up_to_change :
forall g i x. is_index i /\ full_up_to g i
-> 1 <= x <= 9 -> full_up_to (Map.set g i x) (i+1)

let rec lemma full_up_to_frame (g1 g2:grid) (i:int)
requires { 0 <= i <= 81 }
requires { grid_eq_sub g1 g2 0 i }
requires { full_up_to g1 i }
variant  { i }
ensures  { full_up_to g2 i }
= if i > 0 then
begin
assert { full_up_to g1 (i-1) };
full_up_to_frame g1 g2 (i-1)
end

let lemma full_up_to_frame_all (g1 g2:grid) (i:int)
requires { 0 <= i <= 81 }
requires { grid_eq g1 g2 }
requires { full_up_to g1 i }
ensures  { full_up_to g2 i }
= assert { grid_eq_sub g1 g2 0 i }

let lemma valid_chunk_frame (start:array int) (offsets:array int) (g1 g2:grid) (i:int)
requires { chunk_valid_indexes start offsets }
requires { 0 <= i < 81 }
requires { grid_eq g1 g2 }
requires { valid_chunk g1 i start offsets }
ensures  { valid_chunk g2 i start offsets }
= ()

let rec lemma valid_up_to_frame (s:sudoku_chunks) (g1 g2:grid) (i:int)
requires { well_formed_sudoku s }
requires { 0 <= i <= 81 }
requires { grid_eq g1 g2 }
requires { valid_up_to s g1 i }
variant  { i }
ensures  { valid_up_to s g2 i }
= if i > 0 then
begin
assert { valid_up_to s g1 (i-1) };
valid_up_to_frame s g1 g2 (i-1);
valid_chunk_frame s.column_start s.column_offsets g1 g2 (i-1);
valid_chunk_frame s.row_start s.row_offsets g1 g2 (i-1);
valid_chunk_frame s.square_start s.square_offsets g1 g2 (i-1);
end

```

how to prove the "hard" property : if

`valid_up_to s g i`

and

`h = g[i <- k` (with 1 <= k <= 9)]

and

`valid_column s h i /\ valid_row s h i /\ valid_square s h i`

then

`valid_up_to s h (i+1)`

then the problem is that one should prove that for each `j` in `0..i-1` :

`valid_column s h j /\ valid_row s h j /\ valid_square s h j`

this is true but with 2 different possible reasons:

if `column_start j = column_start i` then `valid_column s h j` is true because `valid_column s h i` is true else `valid_column s h j` is true because `valid_column s g j` is true because `valid_column s h j` does not depend on `h[i]`

```  lemma valid_unchanged_chunks:
forall g : grid, i1 i2 k:int, start offsets:array int.
disjoint_chunks start offsets ->
is_index i1 /\ is_index i2 /\ 1 <= k <= 9 ->
let s1 = start[i1] in
let s2 = start[i2] in
let h = Map.set g i1 k in
s1 <> s2 /\ valid_chunk g i2 start offsets ->
valid_chunk h i2 start offsets

lemma valid_changed_chunks:
forall g : grid, i1 i2 k:int, start offsets:array int.
is_index i1 /\ is_index i2 /\ 1 <= k <= 9 ->
let s1 = start[i1] in
let s2 = start[i2] in
let h = Map.set g i1 k in
s1 = s2 /\ valid_chunk h i1 start offsets ->
valid_chunk h i2 start offsets

let ghost valid_up_to_change (s:sudoku_chunks) (g:grid) (i x : int)
requires {  well_formed_sudoku s }
requires { is_index i }
requires { valid_up_to s g i }
requires { 1 <= x <= 9 }
requires { valid_column s (Map.set g i x) i }
requires { valid_row s (Map.set g i x) i }
requires { valid_square s (Map.set g i x) i }
ensures  { valid_up_to s (Map.set g i x) (i+1) }
= ()

exception SolutionFound
```

### The main solver loop

```  let rec solve_aux (s:sudoku_chunks) (g : array int) (i : int)
requires { well_formed_sudoku s }
requires { g.length = 81 }
requires { valid_values g.elts }
requires { 0 <= i <= 81 }
requires { valid_up_to s g.elts i }
requires { full_up_to g.elts i }
writes  { g }
variant { 81 - i }
ensures { grid_eq (old g).elts g.elts }
ensures { forall h : grid. included g.elts h /\ full h -> not (valid s h) }
raises { SolutionFound -> is_solution_for s g.elts (old g).elts }
= if i = 81 then raise SolutionFound;
(* assert { is_index i }; *)
if g[i] <> 0 then
try
(* assert { 1 <= g[i] <= 9 }; *)
check_valid_chunk g i s.column_start s.column_offsets;
check_valid_chunk g i s.row_start s.row_offsets;
check_valid_chunk g i s.square_start s.square_offsets;
solve_aux s g (i + 1)
with Invalid -> ()
end
else
begin
let ghost old_g = g.elts in
for k = 1 to 9 do
invariant { grid_eq old_g (Map.set g.elts i 0) }
invariant { full_up_to g.elts i }
invariant { (* for completeness *)
forall k'. 1 <= k' < k ->
let g' = Map.set old_g i k' in
forall h : grid. included g' h /\ full h -> not (valid s h) }
g[i] <- k;
valid_up_to_frame s old_g (Map.set g.elts i 0) i;
try
check_valid_chunk g i s.column_start s.column_offsets;
check_valid_chunk g i s.row_start s.row_offsets;
check_valid_chunk g i s.square_start s.square_offsets;
(* the hard part: see lemma valid_up_to_change *)
assert { let grid' = Map.set old_g i k in
grid_eq grid' g.elts &&
valid_chunk grid' i s.column_start s.column_offsets &&
valid_chunk grid' i s.row_start s.row_offsets &&
valid_chunk grid' i s.square_start s.square_offsets &&
valid_up_to s grid' (i+1) };
valid_up_to_change s old_g i k;
solve_aux s g (i + 1)
with Invalid ->
assert { (* for completeness *)
not (valid s (Map.set old_g i k)) };
assert { (* for completeness *)
let g' = Map.set old_g i k in
forall h : grid. included g' h /\ full h -> not (valid s h) }
end
done;
g[i] <- 0;
assert { (* for completeness *)
forall h:grid. included old_g h /\ full h ->
let k' = Map.get h i in
let g' = Map.set old_g i k' in
included g' h }
end

exception NoSolution

let solve (s:sudoku_chunks) (g : array int)
requires { well_formed_sudoku s }
requires { g.length = 81 }
requires { valid_values g.elts }
writes   { g }
ensures  { result = g }
ensures  { is_solution_for s g.elts (old g).elts }
raises   { NoSolution ->
forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
=
try solve_aux s g 0;
raise NoSolution
with SolutionFound -> g
end

let check_then_solve (s:sudoku_chunks) (g : array int)
requires { well_formed_sudoku s }
requires { g.length = 81 }
requires { valid_values g.elts }
writes   { g }
ensures  { result = g }
ensures  { is_solution_for s g.elts (old g).elts }
raises   { NoSolution ->
forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
=
if check_valid s g then solve s g else raise NoSolution

end

(* Proof in progress
module RandomSolver

(* a variant: solve using a random order of cells *)

use Grid
use array.Array
use int.Int
use random.Random

use Solver

let rec solve_aux (s:sudoku_chunks) (randoffset:int) (g : array int) (i : int)
requires { well_formed_sudoku s }
requires { 0 <= randoffset <= 80 }
requires { g.length = 81 }
requires { valid_values g.elts }
requires { 0 <= i <= 81 }
requires { valid_up_to s g.elts i }
requires { full_up_to g.elts i }
writes  { g }
variant { 81 - i }
ensures { grid_eq (old g).elts g.elts }
ensures { forall h : grid. included g.elts h /\ full h -> not (valid s h) }
raises { SolutionFound -> is_solution_for s g.elts (old g).elts }
= if i = 81 then raise SolutionFound;
(* assert { is_index i }; *)
let j = i + randoffset in
let j = if j >= 81 then j - 81 else j in
(* assert { is_index j }; *)
if g[j] <> 0 then
try
(* assert { 1 <= g[j] <= 9 }; *)
Solver.check_valid_chunk g j s.column_start s.column_offsets;
check_valid_chunk g j s.row_start s.row_offsets;
check_valid_chunk g j s.square_start s.square_offsets;
solve_aux s randoffset g (i + 1)
with Invalid -> ()
end
else
begin
label L in
for k = 1 to 9 do
invariant { grid_eq (g at L).elts (Map.set g.elts j 0) }
invariant { full_up_to g.elts i } (* TODO i -> j *)
invariant { (* for completeness *)
forall k'. 1 <= k' < k ->
let g' = Map.set (g at L).elts i k' in (* TODO i -> j *)
forall h : grid. included g' h /\ full h -> not (valid s h) }
g[j] <- k;
try
check_valid_chunk g j s.column_start s.column_offsets;
check_valid_chunk g j s.row_start s.row_offsets;
check_valid_chunk g j s.square_start s.square_offsets;
(* the hard part: see lemma valid_up_to_change *)
(* TODO i -> j *)
assert { let grid' = Map.set (g at L).elts i k in
grid_eq grid' g.elts &&
valid_chunk grid' i s.column_start s.column_offsets &&
valid_chunk grid' i s.row_start s.row_offsets &&
valid_chunk grid' i s.square_start s.square_offsets &&
valid_up_to s grid' (i+1) };
assert { valid_up_to s g.elts (i+1) };
solve_aux s randoffset g (i + 1)
with Invalid ->
assert { (* for completeness *)
not (valid s (Map.set (g at L).elts i k)) };
assert { (* for completeness *)
let g' = Map.set (g at L).elts i k in
forall h : grid. included g' h /\ full h -> not (valid s h) }
end
done;
g[j] <- 0;
assert { (* for completeness *)
forall h:grid. included (g at L).elts h /\ full h ->
let k' = Map.get h i in
let g' = Map.set (g at L).elts i k' in
included g' h }
end

exception NoSolution

let solve (s:sudoku_chunks) (g : array int)
requires { well_formed_sudoku s }
requires { g.length = 81 }
requires { valid_values g.elts }
writes   { g }
ensures  { result = g }
ensures  { is_solution_for s g.elts (old g).elts }
raises   { NoSolution ->
forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
=
try
let randoffset = 27 in
solve_aux s randoffset g 0;
raise NoSolution
with SolutionFound -> g
end

let check_then_solve (s:sudoku_chunks) (g : array int)
requires { well_formed_sudoku s }
requires { g.length = 81 }
requires { valid_values g.elts }
writes   { g }
ensures  { result = g }
ensures  { is_solution_for s g.elts (old g).elts }
raises   { NoSolution ->
forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
=
if check_valid s g then solve s g else raise NoSolution

end
*)

```

## Some Tests

```module Test

use Grid
use TheClassicalSudokuGrid

use Solver
use map.Map
use array.Array

let test0 ()
raises { NoSolution -> true }
= let a = Array.make 81 0 in
solve (classical_sudoku()) a
(* a possible solution:
1, 2, 3, 4, 5, 6, 7, 8, 9,
4, 5, 6, 7, 8, 9, 1, 2, 3,
7, 8, 9, 1, 2, 3, 4, 5, 6,
2, 1, 4, 3, 6, 5, 8, 9, 7,
3, 6, 5, 8, 9, 7, 2, 1, 4,
8, 9, 7, 2, 1, 4, 3, 6, 5,
5, 3, 1, 6, 4, 2, 9, 7, 8,
6, 4, 2, 9, 7, 8, 5, 3, 1,
9, 7, 8, 5, 3, 1, 6, 4, 2
*)
```

Solving the empty grid: easy, yet not trivial

```(*
2 0 9 0 0 0 0 1 0
0 0 0 0 6 0 0 0 0
0 5 3 8 0 2 7 0 0
3 0 0 0 0 0 0 0 0
0 0 0 0 7 5 0 0 3
0 4 1 2 0 8 9 0 0
0 0 4 0 9 0 0 2 0
8 0 0 0 0 1 0 0 5
0 0 0 0 0 0 0 7 6
*)
```

A grid known to be solvable

```  let test1 ()
raises { NoSolution -> true }
= let a = Array.make 81 0 in
a[0] <- 2;
a[2] <- 9;
a[7] <- 1;
a[13] <- 6;
a[19] <- 5;
a[20] <- 3;
a[21] <- 8;
a[23] <- 2;
a[24] <- 7;
a[27] <- 3;
a[40] <- 7;
a[41] <- 5;
a[44] <- 3;
a[46] <- 4;
a[47] <- 1;
a[48] <- 2;
a[50] <- 8;
a[51] <- 9;
a[56] <- 4;
a[58] <- 9;
a[61] <- 2;
a[63] <- 8;
a[68] <- 1;
a[71] <- 5;
a[79] <- 7;
a[80] <- 6;
assert { valid_values a.Array.elts };
solve (classical_sudoku()) a

(* the solution:

2, 6, 9, 3, 5, 7, 8, 1, 4,
1, 8, 7, 9, 6, 4, 5, 3, 2,
4, 5, 3, 8, 1, 2, 7, 6, 9,
3, 7, 5, 6, 4, 9, 2, 8, 1,
9, 2, 8, 1, 7, 5, 6, 4, 3,
6, 4, 1, 2, 3, 8, 9, 5, 7,
7, 1, 4, 5, 9, 6, 3, 2, 8,
8, 3, 6, 7, 2, 1, 4, 9, 5,
5, 9, 2, 4, 8, 3, 1, 7, 6

*)

let test2 ()
raises { NoSolution -> true }
= let a = Array.make 81 1 in
solve (classical_sudoku()) a
```

A trivially unsolvable grid

```end

```